[ajross]

None of this affects the use of telnet the client program nor the ability to run a telnetd on your own host (but do be sure it's patched!).

What's happened is that global routing on the internet (or big chunks of it, it's not really clear) has started blocking telnet's default port to protect presumably-unpatched/unpatchable dinosaur systems from automated attack. So you can no longer (probably) rely on getting to a SMTP server to deliver that spoofed email unless you can do it from its own local environment.

[emmelaich]

> started blocking telnet's default port

But that's 23 and smtp is 25.

[jonprobably]

SMTP has and is almost blocked everywhere to dissuade spam.

[dwedge]

Presumably not on the SMTP servers they were connecting to. There are millions of IPs with port 25 open, without them email wouldn't work, so I'm not sure what you mean

[einr]

They probably mean that port 25 is blocked on consumer ISPs/residential IP blocks to prevent malware from running an smtpd on an infected home computer or router (which used to happen a lot), but on a higher level of course no one blocks SMTP.

[pkaeding]

You would still be able to use the telnet client to connect to an SMTP server on TCP port 25, just not port 23, right? I don't think that part changed here.

[ajross]

It's... not super clear from the article whether this is a port block or a stateful protocol thing. But yes, you're probably right and SMTP spoofing is probably safe for now.

[Balinares]

I read it as a clear port 23 block.