ANSWERED: Xfinity Blocked Internet Ports List and How to Block Ports
Ports on the internet are like virtual passageways where data can travel. All information on the internet passes through ports to get to and from computers and servers. When a certain port is known to cause vulnerability to the security and privacy of your information, Xfinity blocks it to protect you.
Find the Reasons for Blocking Listed Below
|Port||Transport||Protocol||Direction Downstream/ Upstream to CPE||Reason for Block||IP Version|
|0||TCP||N/A||Downstream||Port 0 is a reserved port, which means it should not be used by applications. Network abuse has prompted the need to block this port.||IPv4/IPv6|
|25||TCP||SMTP||Both||Port 25 is unsecured, and Botnet spammers can use it to send spam. This does not affect Xfinity Connect usage. We recommend learning more about configuring your email settings to Comcast email to use port 587.||IPv4/IPv6|
|67||UDP||BOOTP, DHCP||Downstream||UDP Port 67, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks.||IPv4|
|135-139||TCP/UDP||NetBios||Both||NetBios services allow file sharing over networks. When improperly configured, ports 135-139 can expose critical system files or give full file system access (run, delete, copy) to any malicious intruder connected to the network.||IPv4/IPv6|
|161||UDP||SNMP||Both||SNMP is vulnerable to reflected amplification distributed denial of service (DDoS) attacks.||IPv4/IPv6|
|445||TCP||MS-DS, SMB||Both||Port 445 is vulnerable to attacks, exploits and malware such as the Sasser and Nimda worms.||IPv4/IPv6|
|520||UDP||RIP||Both||Port 520 is vulnerable to malicious route updates, which provides several attack possibilities.||IPv4|
|547||UDP||DHCPv6||Downstream||UDP Port 547, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks.||IPv6|
|1080||TCP||SOCKS||Downstream||Port 1080 is vulnerable to, among others, viruses, worms and DoS attacks.||IPv4/IPv6|
|1900||UDP||SSDP||Both||Port 1900 is vulnerable to DoS attacks.||IPv4/IPv6|
Enable Port Blocking on Your RouterIf you’re concerned about the security of your wireless home network, one thing you can do is enable port blocking – this can help prevent unwanted outside connections to your network’s devices.
While port blocking is advanced, you can enable it on certain routers with a few simple steps. Here’s how:
Note: These instructions apply only to the following devices:
- Netgear CG814v 1&2
- Linksys WCG200v 1&2
- Linksys BEFCMUH4
- Log on to your router’s administration site.
- Click on the Select a Computer/Device button to view the IP addresses of the computers connected to your gateway.
- Enter the IP address range in the IP Range fields.
- Enter the Port range in the Port Range fields.
- Select the Enable check box.
- Click Apply.
Why is Port 25 for Email Submission Not Supported?
Why is Comcast Supporting Port 587?The original/legacy email ports, 25 and 110, have been in use since the inception of email and have limited or no security features. As a result, port 25 has been used for the transmission of spam and malware from infected computers for nearly a decade. Port 110 simply is not a secure means of retrieving email. Port 995 provides SSL encryption when downloading email.
It has been a long-standing recommendation from M3AAWG, an international community of anti-abuse professionals, and the Internet Engineering Task Force (IETF), that port 25 be blocked. In an effort to provide our customers with the greatest security when using email, Comcast recommends the use of the industry-recommended port 587 with TLS/SSL enabled. The recommendations from M3AAWG can be read here and you can also view the IETF RFC 5068and RFC 4409 (section 3.1, see below).
From RFC 4409:
3.1. Submission Identification
Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions or allowances as specified here. Although most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site may choose to use port 25 for message submission by designating some hosts to be MSAs and others to be MTAs.
What Makes These Settings More Secure?Port 587 further improves security through the use of required authentication and recommended TLS/SSL encryption.
When sending and receiving email, it is required that you use your Xfinity username and password. This helps to prevent infected computers and other devices connected to the Xfinity services from being able to freely transmit spam and malware.
Secure Sockets Layer (SSL) is a secure protocol for sending data safely and encrypted over the Internet. With SSL encryption your user ID, password, and email are secured from hackers and identity thieves when sending or receiving email.
Other Bodies Opposed to the Use of Port 25There are a number of other organizations that Comcast works with to control the problem of spam on the Internet. One of the most notable of these is Spamhaus, an organization that provides a number of lists detailing IP addresses known to send a great deal of spam and a list of IP addresses that should never send email at all. These lists, as well as others provided by similar organizations, are used by nearly all of the ISPs and mail receivers on the planet. All of the Comcast dynamic IP address space is listed by Spamhaus as not to be used for the sending of email. As such, any email sent by subscribers on the Comcast network directly to other ISPs (not via the Comcast mail servers) is extremely likely to be blocked by the receiving ISP.
The Federal Trade Commission, an organization that has taken legal action against many spammers, also recommends that Port 25 should be blocked by ISPs. The FTC’s recommendation is as follows:
"Block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."
The ITU also recommends blocking port 25 in their document named "ITU Botnet Mitigation Toolkit". This can be viewed here. While this document is focused on the remediation of botted computers, blocking of port 25 is seen as an important step in mitigating the spam that is sent from botted machines.
ISPs that Manage Port 25Many ISPs, both in the USA and around the globe, block port 25. These include:
- People PC
- All Japanese ISPs
- France Telecom/Orange
For additional information see here: https://www.xfinity.com/support/articles/list-of-blocked-ports
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.