ANSWERED: Xfinity Blocked Internet Ports List and How to Block Ports

Find out which ports are blocked by Xfinity and Comcast services, and why.

Ports on the internet are like virtual passageways where data can travel. All information on the internet passes through ports to get to and from computers and servers. When a certain port is known to cause vulnerability to the security and privacy of your information, Xfinity blocks it to protect you.

Find the reasons for blocking listed below

Port	Transport	Protocol	Direction downstream or upstream to CPE	Reason for block	IP version
0	TCP	N/A	Downstream	Port 0 is a reserved port, which means it should not be used by applications. Network abuse has prompted the need to block this port.	IPv4/IPv6
25	TCP	SMTP	Both	Port 25 is unsecured, and Botnet spammers can use it to send spam. This does not affect Xfinity Email website usage. We recommend learning more about configuring your email settings to Comcast email to use port 587.	IPv4/IPv6
67	UDP	BOOTP, DHCP	Downstream	UDP Port 67, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks.	IPv4
135-139	TCP/UDP	NetBios	Both	NetBios services allow file sharing over networks. When improperly configured, ports 135-139 can expose critical system files or give full file system access (run, delete, copy) to any malicious intruder connected to the network.	IPv4/IPv6
161	UDP	SNMP	Both	SNMP is vulnerable to reflected amplification distributed denial of service (DDoS) attacks.	IPv4/IPv6
445	TCP	MS-DS, SMB	Both	Port 445 is vulnerable to attacks, exploits and malware such as the Sasser and Nimda worms.	IPv4/IPv6
520	UDP	RIP	Both	Port 520 is vulnerable to malicious route updates, which provides several attack possibilities.	IPv4
547	UDP	DHCPv6	Downstream	UDP Port 547, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks.	IPv6
1080	TCP	SOCKS	Downstream	Port 1080 is vulnerable to, among others, viruses, worms and DoS attacks.	IPv4/IPv6
1900	UDP	SSDP	Both	Port 1900 is vulnerable to DoS attacks.	IPv4/IPv6

Block Internet Ports from Your Router

Enable Port Blocking

If you’re concerned about the security of your wireless home network, one thing you can do is enable port blocking – this can help prevent unwanted outside connections to your network’s devices.

While port blocking is advanced, you can enable it on certain routers with a few simple steps. Here’s how:

Note: These instructions apply only to the following devices:

Netgear CG814v 1&2
Linksys WCG200v 1&2
Linksys BEFCMUH4

Log on to your router’s administration site.
Click on the Select a Computer/Device button to view the IP addresses of the computers connected to your gateway.
Enter the IP address range in the IP Range fields.
Enter the Port range in the Port Range fields.
Select the Enable check box.
Click Apply.

Why is port 25 for email submission not supported?

Email is used for important communications and Comcast wants to ensure that these communications are as secure and as private as possible. As such, Comcast does not support port 25 for the transmission of email by our residential Internet customers. Much of the current use of port 25 is by computers that have been infected by malware and are sending spam without the knowledge of the users of those computers.

Why is Comcast supporting port 587?

The original/legacy email ports, 25 and 110, have been in use since the inception of email and have limited or no security features. As a result, port 25 has been used for the transmission of spam and malware from infected computers for nearly a decade. Port 110 simply is not a secure means of retrieving email. Port 995 provides SSL encryption when downloading email.

It has been a long standing recommendation from M3AAWG, an international community of anti-abuse professionals, and the Internet Engineering Task Force (IETF), that port 25 be blocked. In an effort to provide our customers with the greatest security when using email, Comcast recommends the use of the industry-recommended port 587 with TLS/SSL enabled. The recommendations from M3AAWG can be read here and you can also view the IETF RFC 5068 and RFC 4409 (section 3.1, see below).

From RFC 4409:
3.1. Submission Identification
Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions or allowances as specified here. Although most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site may choose to use port 25 for message submission by designating some hosts to be MSAs and others to be MTAs.

What makes these settings more secure?

Port 587 further improves security through the use of required authentication and recommended TLS/SSL encryption.

Required authentication
When sending and receiving email, it is required that you use your Xfinity ID and password. This helps to prevent infected computers and other devices connected to the Xfinity services from being able to freely transmit spam and malware.

SSL encryption
Secure Sockets Layer (SSL) is a secure protocol for sending data safely and encrypted over the Internet. With SSL encryption your user ID, password, and email are secured from hackers and identity thieves when sending or receiving email.

Other bodies opposed to the use of port 25

There are a number of other organizations that Comcast works with to control the problem of spam on the Internet. One of the most notable of these is Spamhaus, an organization that provides a number of lists detailing IP addresses known to send a great deal of spam and a list of IP addresses that should never send email at all. These lists as well as others provided by similar organizations are used by nearly all of the ISPs and mail receivers on the planet. All of the Comcast dynamic IP address space is listed by Spamhaus as not to be used for the sending of email. As such, any email sent by subscribers on the Comcast network directly to other ISPs (not via the Comcast mail servers) is extremely likely to be blocked by the receiving ISP.

The Federal Trade Commission, an organization that has taken legal action against many spammers, also recommends that Port 25 should be blocked by ISPs. The FTC’s recommendation is as follows:
"Block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."

The ITU also recommends blocking port 25 in their document named "ITU Botnet Mitigation Toolkit". This can be viewed here. While this document is focused on the remediation of botted computers, blocking of port 25 is seen as an important step in mitigating the spam that is sent from botted machines.

ISPs that manage port 25

Many ISPs, both in the USA and around the globe, block port 25. These include:

Verizon
AT&T
NetZero
Charter
People PC
Cox
EarthLink
Verio
Cablevision
All Japanese ISPs
France Telecom/Orange

Additional Resources

https://www.xfinity.com/support/articles/list-of-blocked-ports

https://www.xfinity.com/support/articles/port-blocking-forwarding-comcast-networking?view=app

https://www.xfinity.com/support/articles/email-port-25-no-longer-supported

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer. tick

Internet

Xfinity Support