breaking the internet

On the internet, network services are commonly defined by the port they use. For example, when you are on a website, you’re typically connected to port 80 of the remote computer, but your browser does this transparently for you. If you’re sending email, you’re connected to port 25 of your mail server. Ports are important to know about for network debugging as well as security. For more information, see the hackepedia page on ports.

When I moved to Victoria several years ago, I quickly realized that competition for broadband is non-existant here in British Columbia; you use Telus for DSL (limited to ~7Mbps) or Shaw for cable (can go as high as  100Mbps currently). As I work from home, and am a techy, I opted for the Shaw route. All other broadband providers I’m aware of in Victoria are just resellers of these two. I was quickly surprised to learn that Shaw blocks port 25 inbound; this was no good, as I own my own mail server and don’t want to be forced to provide Shaw with access to all of my emails so they can read and/or log them forever.

When I called to enquire, they told me that to get a static IP and port 25 unblocked (required to run my own mail server) I would instead have to pay a premium of ~$90/month for a 15Mbps connection that does this. I had no choice, they are the monopoly of cable broadband in the region. This is an incredible tax for the privilege of not allowing Shaw to log and read my emails.

I should note that in the last 5 years, there was exponentially more spam sent out from Shaw’s official email server than from mine (none).

Several years later, I now have a second location in Victoria, and so I setup a residential 15Mbps connection, where I pay $30/month for the next 6 months. I quickly realized that port 25 is blocked, as I can’t even connect to my other Shaw internet connection!? I’m paying for two connections, and can’t have one use the other?

This made me think, they’ve only implemented port 25 blocking for a possible two reasons

  1. Shaw insists you use their mail servers, why? Are they reading our emails? How long are they logging them for? Who in their organization has access to them?
  2. They enjoying charging a tax to technically savvy users that don’t want to give Shaw access to all of their private emails.

I decided to ask them on twitter:

@shawhelp I pay $30/m for 15M internet at one house, and $90/m at another so I can us port 25. Why the $60 tax to send email?
@cqwww Port 25 blocks have been in place for quite awhile now. Only affects you if you aren’t using #shaw servers (J36)
@shawhelp But you allow me to send email for an extra $60/month from my shaw acct; I doubt $60/month is an effective way to stop spammers?
They’ve also since DM’d me: Curious, would there be any reason you can’t change the outgoing port to something other than 25? -F52
As you can see, I’ve responded in public:
@shawhelp Why would I change the standard port number (25)? I’m trying to run a mail server that works. Changing it breaks things.

As you can see, they’re suggesting they block port 25 to block spammers, but are they really arguing that a spammer wouldn’t pay the $60/month premium/tax to do so? That seems like a really silly argument, and if you’re willing to pay this premium, they will unblock port 25. They suggest I can change the port, but that effectively breaks the internet. If you and I are friends, and I say you can have an account on my private email server, would you like having to figure out where in your mail program’s advanced settings you change the port number just for emails going to my mail server? That is a huge inconvenience. It’s like requiring your clients to knock at the side door of your business with a special knock instead of just walking in the front, it’s not something one should be required to ask of their friends, or clients.

I should also note this is not a bizarre request I am making. When living in Ontario, I was using Teksavvy which doesn’t block any internet ports.  This is standard in any competitive internet landscape, not something we have here in BC. I will suggest that as a result, Shaw is false advertising; they are not offering “internet service”, but they are offering “limited network access”. They are effectively breaking probably the second biggest part of the internet next to web surfing, email.

My friend Kevin also enquired on twitter, as he was writing an anti-phishing tool, and Shaw replied:

Port 25 is reserved for Shaw SMTP server on our network. Using a 3rd party SMTP you will need a different port number. -L81

This is interesting, as Shaw has decided they will block port 25 from everyone, but themselves! Again, the suggestion of using a different port number which themselves do not do, as they know this breaks the internet. This is an obvious case of unfairness.

I have since found a company in Vancouver that will give me a piece of a server, called a virtual private server (VPS) for only $12/month, with no ports blocked. As I figure this negotiation with Shaw will take some time, I’ve decided to setup a VPS with the provider in Vancouver, and I will run my email through them. Having just set that machine all up and was ready to test, I was having some issues; only to discover blocks outgoing port 25 as well, not just inbound! This means that as a Shaw ISP user, they absolutely require you use their mail server, instead of any other email server in the world?! This is clearly unacceptable.

I’m looking for solutions here to resolve this in the interim. Is there a way in to handle SOCKS proxy (ssh -D) without it being system wide? Or even better, can I setup SOCKS proxy in just for one account (my VPS account) that way I can still also check my email (Shaw requires you’re connected to their network to check your emails?!).

A few questions to Shaw:

  • Is it fair you charge a tax for the premium of running a mail server? I don’t want you to read my emails, and I provably send out less spam than you do!
  • Is it fair you allow port 25 for yourself and not others?

In the long term, who is ensuring ISPs in Canada are competitive and secure? I’d love to speak with them.




16 thoughts on “ breaking the internet

  1. This is a great post. Thanks. And, for looking into this and making it public. There’s already too much internet and access breakage in Canada to stay on our knees without proper info.


  2. This is old news, sadly. Both Telus and Shaw have been blocking outgoing SMTP for a very long time (>5 years). They’re trying to prevent their users from using open relays to spam – not that it probably does much. Mostly it just locks people into using their email services, which is probably great from a vendor lock-in perspective — technically incompetent people can’t easily port their email address around then, which is useful.

    I suggest simply using NAT on the server end to have an additional port behave as SMTP. Not going to win this fight with Shaw; the deck is severely stacked against you.

    • I don’t agree that I should be forced to pay a tax because others are not technically competent. I also don’t believe in kowtowing to an organization that is not being competitive or fair. We’ll be discussing at ideas – Victoria tonight if you’re around!

  3. Shaw is reading your email. They say they have a spam blocker, which can only work if they examine the messages with their scanner. We saw one thread with a sexual theme (the place I worked at involved HIV work) consistently destroyed. When the message was sent through our own systems and recieved as webmail to avoid Shaw it came through 100% of the time. When it came via Shaw, it was digested and destroyed 100% of the time. Same sender, same content, not malicious mail– but Shaw’s system swallowed it.

  4.  Well, in Canada there is the CCTS (Commissioner for Complaints for Telecommunications Services). Their mission is to (and I quote) “To provide outstanding dispute resolution service to Canadian consumers and telecom providers, and always to adhere to our core values and performance standards”….

    You might want to start there…

  5. Year later, but this has to be said.

    This is wierd. I have been running mail servers for over 10 years (about 3 years ago shaw blocked outgoing smtp port 25). Work around is simple. Keep in mind smtp port 25 is used twofold. One, your mail server listens on port 25 to recieve email from other smtp servers. Two, you connect to it to send mail via smtp. Well its the Two part Shaw, MTS, Telus, Bell, Rogers blocked. My mail still comes into my mail server on port 25 on a cheap residential dynamic ip shaw package, never stopped, ever.

    However, when I was wanting to connect to my mail server to send mail via smtp port 25, forgetaboutit.

    So I send mail through my server via port 26 (with authentication of course.)

    My router has a port forward incoming tcp port 25 to internal mail server port 25 (to receive mail from other servers) and in tcp port 26 to internal mail server port 25 (to send mail through my server)

    Been working for years!

    btw you don’t have to use port 26, it can be any unused port you want, provided it forwards to internal mail server port 25.

  6. Telus had inbound port 80 blocked on it’s optik network in Vancouver. They also insisted on double natting me since I was only to have access to the LAN side of their firewall/ap/hpna box. They would not bridge the device. There is work around but you need old hardware.

  7. “Port 25 is reserved for Shaw SMTP server on our network. Using a 3rd party SMTP you will need a different port number”

    I may be mistaken, but I believe that this is standards compliant behavior, as set out by the Internet Engineering Task Force in its “Request For Comments” standard number 2476.

    You’re behind the times. Port 25 has not been the proper port for relaying e-mail across an external network since 1998. The correct port is 587.

Leave a Reply

Your email address will not be published. Required fields are marked *