Why is Comcast supporting port 587?
The original/legacy email ports, 25 and 110, have been in use since the inception of email and have limited or no security features. As a result, port 25 has been used for the transmission of spam and malware from infected computers for nearly a decade. Port 110 simply is not a secure means of retrieving email. Port 995 provides SSL encryption when downloading email.
It has been a long standing recommendation from M3AAWG, an international community of anti-abuse professionals, and the Internet Engineering Task Force (IETF), that port 25 be blocked. In an effort to provide our customers with the greatest security when using email, Comcast recommends the use of the industry-recommended port 587 with TLS/SSL enabled. The recommendations from M3AAWG can be read here and you can also view the IETF RFC 5068 and RFC 4409 (section 3.1, see below).
From RFC 4409:
3.1. Submission Identification
Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions or allowances as specified here. Although most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site may choose to use port 25 for message submission by designating some hosts to be MSAs and others to be MTAs.
What makes these settings more secure?
Port 587 further improves security through the use of required authentication and recommended TLS/SSL encryption.
Required authentication
When sending and receiving email, it is required that you use your Xfinity ID and password. This helps to prevent infected computers and other devices connected to the Xfinity services from being able to freely transmit spam and malware.
SSL encryption
Secure Sockets Layer (SSL) is a secure protocol for sending data safely and encrypted over the Internet. With SSL encryption your user ID, password, and email are secured from hackers and identity thieves when sending or receiving email.
Other bodies opposed to the use of port 25
There are a number of other organizations that Comcast works with to control the problem of spam on the Internet. One of the most notable of these is Spamhaus, an organization that provides a number of lists detailing IP addresses known to send a great deal of spam and a list of IP addresses that should never send email at all. These lists as well as others provided by similar organizations are used by nearly all of the ISPs and mail receivers on the planet. All of the Comcast dynamic IP address space is listed by Spamhaus as not to be used for the sending of email. As such, any email sent by subscribers on the Comcast network directly to other ISPs (not via the Comcast mail servers) is extremely likely to be blocked by the receiving ISP.
The Federal Trade Commission, an organization that has taken legal action against many spammers, also recommends that Port 25 should be blocked by ISPs. The FTC’s recommendation is as follows:
"Block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."
The ITU also recommends blocking port 25 in their document named "ITU Botnet Mitigation Toolkit". This can be viewed here. While this document is focused on the remediation of botted computers, blocking of port 25 is seen as an important step in mitigating the spam that is sent from botted machines.
ISPs that manage port 25
Many ISPs, both in the USA and around the globe, block port 25. These include:
- Verizon
- AT&T
- NetZero
- Charter
- People PC
- Cox
- EarthLink
- Verio
- Cablevision
- All Japanese ISPs
- France Telecom/Orange
No Responses!