Xnews failure update in XP Home

[KenK]

As I posted here earlier, I couldn't get Xnews news reader to work
properly on my sMachine T2984 computer; it couldn't DL message counts,
headers or messages. It does get lists of group names, authenticates
connection if required and some other things so it's successfully
connected to the news server and getting some data. It fails with no
error message. Xnews has run fine for me on the eMachine for many many
years.

The eMachine has no problem running my other software - Firefox, Eudora
email ap, Kaspersky virus protection, etc. The eMachine uses DSL but
exhibits the Xnews problems using a dial-up connection with another ISP
as well. News server ports are set to 119. It fails with two separate
news servers with different groups. The same copy of Xnews that fails
runs with no problem on my Compaq backup system.

A friend sent me a ZIP of Xananews. I installed it and it has the same
problem as Xnews so it's not a problem with Xnews, but something wrong in
the eMachine, but for the life of me I can't think of what it might be.
The problem started one morning between separate turn-ons and computer
sessions with no warnings or error messages. No new software installed,
upgrades, uninstalls, or anything else.

I tried Wireshark packet sniffer but don't understand its results.

Can anyone think of anything, likely a hardware or OS fault, that could
cause such a problem?

This was a long post but I tried to anticipate any questions.

Hoping for TIA.

 

[Paul]

As I posted here earlier, I couldn't get Xnews news reader to work
properly on my sMachine T2984 computer; it couldn't DL message counts,
headers or messages. It does get lists of group names, authenticates
connection if required and some other things so it's successfully
connected to the news server and getting some data. It fails with no
error message. Xnews has run fine for me on the eMachine for many many
years.

The eMachine has no problem running my other software - Firefox, Eudora
email ap, Kaspersky virus protection, etc. The eMachine uses DSL but
exhibits the Xnews problems using a dial-up connection with another ISP
as well. News server ports are set to 119. It fails with two separate
news servers with different groups. The same copy of Xnews that fails
runs with no problem on my Compaq backup system.

A friend sent me a ZIP of Xananews. I installed it and it has the same
problem as Xnews so it's not a problem with Xnews, but something wrong in
the eMachine, but for the life of me I can't think of what it might be.
The problem started one morning between separate turn-ons and computer
sessions with no warnings or error messages. No new software installed,
upgrades, uninstalls, or anything else.

I tried Wireshark packet sniffer but don't understand its results.

Can anyone think of anything, likely a hardware or OS fault, that could
cause such a problem?

This was a long post but I tried to anticipate any questions.

Hoping for TIA.

Xananews is another multithreaded multiserver program.

Why aren't you debugging with something a little more single-threaded ?

If you aren't running Thunderbird for anything now, install version
2.0.0.24 and test with your server. Remember to tick "Always Request Authentication",
if connecting to a news server that needs a USER and PASS field passed
to it.

(Link to the download for a US English user...)

ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/2.0.0.24/win32/en-US/Thunderbird%20Setup%202.0.0.24.exe

*******

One thing I didn't see in your Wireshark trace, is AUTHINFO USER and PASS
commands sent to news.individual.net. Does Xnews have an "Always
Request Authentication" option ? If your news server requires you
to log in, the process must be "volunteered" from your end. The
protocol does not "prompt" you for a username, in the way that
FTP might. You make your news server, send USER and PASS commands,
which the server observes as attempts to authenticate, and then it
lets you in. It's a weird protocol, and if you don't send USER and
PASS, the server could just hang up on you.

Make sure Xnews is "volunteering" the USER and PASS for that server.

*******

If you don't want to test with Thunderbird, you can test this way.

http://www.anta.net/misc/telnet-troubleshooting/nntp.shtml

In Command Prompt, run telnet

telnet news.individual.net nntp

Then, in their example, they're entering this text from the keyboard.
I've modified the session a bit,

AUTHINFO user my_username_on_individual_net
AUTHINFO pass my_password_on_individual_net
POST
From: (e-mail address removed)
Newsgroups: misc.test
Subject: Test article
Message-ID: <[email protected]>

This is a test.
. <--- This dot means "end of message", it gets posted.
GROUP misc.test <--- Now, he checks to see the message number.

The person selects the high-water mark from the last command,
which returned this in the Telnet window. The person crafting
this example, assumes no one else has submitted a message.
The 269643 is the high water mark.

211 24 269620 269643 misc.test selected

So he then sends this, to fetch the newly posted article.

ARTICLE 269643
quit

That's an example of a transaction. Done with Telnet.

Note that some servers have extremely short connection
timeout values. If there is no activity on the port for
ten seconds, the port can close. At one time, the timeout
might have been set to a couple minutes. But being
"tight bastards", the NSP sets the timeout extremely short,
so fewer sessions are connected to the server at any one
time (uses less server memory, more users can be hosted).
And that means, you almost need a "here is" script
to feed into Telnet stdin, so the commands are sent in
rapid-fire succession.

Knowing that, I'd switch over to Thunderbird, fire up
Wireshark, and test that way

And yes, you can easily see what is happening in Wireshark.
If the transaction is single thread, it'll be a lot easier
to see and follow.

*******

Please review your networking setup.

DSL_provider ---- new_modem_router ----- (Ethernet cable to computer)

That's what I think it is.

Have you done something different, like add another router
in series with the above setup ?

Your news server won't send USER and PASS, if the
initial attempt to reach the server (get the 200 message)
is failing to be seen. But if the 200 message comes in,
the news client sees that, it can then send out
the AUTHINFO USER command, to pass the username to
the server.

Paul

 

[Nil]

Can anyone think of anything, likely a hardware or OS fault, that
could cause such a problem?

Firewall blocking the port? Maybe somethin in you HOSTS file is
interfering?

news.individual.net also can be accessed at port 8119 - try that?

https://news.individual.net/config.php

 

[KenK]

Firewall blocking the port? Maybe somethin in you HOSTS file is
interfering?

news.individual.net also can be accessed at port 8119 - try that?

https://news.individual.net/config.php

Xnews worked correctly on the eMachine this morning when I started it
from force of habit. I turned it off and updated the newscr files. Then
ran it again - didn't work. <sigh> So I doubt it's the port address.

Firewall is part of Kaspersky Internet Security 2015. Updated 9/25. Xnews
failed 10/8 so I don't think there is a connection.

HOSTS file? No familiar with that.

 

[KenK]

Xananews is another multithreaded multiserver program.

Why aren't you debugging with something a little more single-threaded
?

If you aren't running Thunderbird for anything now, install version
2.0.0.24 and test with your server. Remember to tick "Always Request
Authentication", if connecting to a news server that needs a USER and
PASS field passed to it.

(Link to the download for a US English user...)

ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/2.0.0.24/win
32/en-US/Thunderbird%20Setup%202.0.0.24.exe

DLed and tested. Gets group list, gets message count but doesn't DL
messages or headers. Says news server file timed out. That server does
not require authntication like individual net.

Interesting bit of
Xnews worked correctly on the eMachine this morning when I started it
from force of habit. I turned it off and updated the newscr files. Then

One thing I didn't see in your Wireshark trace, is AUTHINFO USER and
PASS commands sent to news.individual.net. Does Xnews have an "Always
Request Authentication" option ? If your news server requires you
to log in, the process must be "volunteered" from your end. The
protocol does not "prompt" you for a username, in the way that
FTP might. You make your news server, send USER and PASS commands,
which the server observes as attempts to authenticate, and then it
lets you in. It's a weird protocol, and if you don't send USER and
PASS, the server could just hang up on you.

Make sure Xnews is "volunteering" the USER and PASS for that server.

One later more legible list from Wireshark includes:

news.individual,net 192.168.0.2 NNTP 97 Response 281 Authentication
accepted (UID=307388)>

*******

If you don't want to test with Thunderbird, you can test this way.

http://www.anta.net/misc/telnet-troubleshooting/nntp.shtml

In Command Prompt, run telnet

telnet news.individual.net nntp

Then, in their example, they're entering this text from the keyboard.
I've modified the session a bit,

AUTHINFO user my_username_on_individual_net
AUTHINFO pass my_password_on_individual_net
POST
From: (e-mail address removed)
Newsgroups: misc.test
Subject: Test article
Message-ID: <[email protected]>

This is a test.
. <--- This dot means "end of message", it
gets posted. GROUP misc.test <--- Now, he checks to see
the message number.

The person selects the high-water mark from the last command,
which returned this in the Telnet window. The person crafting
this example, assumes no one else has submitted a message.
The 269643 is the high water mark.

211 24 269620 269643 misc.test selected

So he then sends this, to fetch the newly posted article.

ARTICLE 269643
quit

That's an example of a transaction. Done with Telnet.

Note that some servers have extremely short connection
timeout values. If there is no activity on the port for
ten seconds, the port can close. At one time, the timeout
might have been set to a couple minutes. But being
"tight bastards", the NSP sets the timeout extremely short,
so fewer sessions are connected to the server at any one
time (uses less server memory, more users can be hosted).
And that means, you almost need a "here is" script
to feed into Telnet stdin, so the commands are sent in
rapid-fire succession.

Knowing that, I'd switch over to Thunderbird, fire up
Wireshark, and test that way

And yes, you can easily see what is happening in Wireshark.
If the transaction is single thread, it'll be a lot easier
to see and follow.

*******

Please review your networking setup.

DSL_provider ---- new_modem_router ----- (Ethernet cable to
computer)

That's what I think it is.

Have you done something different, like add another router
in series with the above setup ?
No.

Your news server won't send USER and PASS, if the
initial attempt to reach the server (get the 200 message)
is failing to be seen. But if the 200 message comes in,
the news client sees that, it can then send out
the AUTHINFO USER command, to pass the username to
the server.

Paul

I'll reread this later but I think I answered your questions.

Thanks for your help as always.

Ken

 

[KenK]

Knowing that, I'd switch over to Thunderbird, fire up
Wireshark, and test that way

Ok. Earlier this morning I ran Wireshark on an attempt to get messages with
Thunderbird. I've not had a chance to read the printed result. Hope I can
understand it. I didn't get anything out of the trace it showed on the
screen after it ran. For some reason, the printed list is always very
different - and much harder to understand.

Ken

 

[KenK]

Knowing that, I'd switch over to Thunderbird, fire up
Wireshark, and test that way

I checked the Wireshark output from my Thunderbird connection attempt
yesterday. As usual, I got little that I could understand.

However, I noticed one often repeated line that seemed to result when T-
bird was attempting to get message info from the Optimax news server:

NOTIFY * HTTP/1.1

I tried Google but got nothing I could understand. Mean anything to you?

Today I'm going to look at the Windows and Kaspersky Internet Security
2015 firewall settings. I doubt if that's the problem but I'm getting
desperate! I'll also try Google again but all I seem to get is my own
messages on Usenet. <sigh>

Ken

 

[KenK]

Today I'm going to look at the Windows and Kaspersky Internet Security
2015 firewall settings.

Turned off Windows firewall. No help so turned it back on. Having a problem
finding Kaspersky firewall settings. Next will try Google.

Ken

 

[KenK]

Firewall blocking the port?

Turned off Windows firewall. No help so turned it back on. Having a problem
finding Kaspersky firewall settings. Next will try Google.

 

[Paul]

I checked the Wireshark output from my Thunderbird connection attempt
yesterday. As usual, I got little that I could understand.

However, I noticed one often repeated line that seemed to result when T-
bird was attempting to get message info from the Optimax news server:

NOTIFY * HTTP/1.1

I tried Google but got nothing I could understand. Mean anything to you?

Today I'm going to look at the Windows and Kaspersky Internet Security
2015 firewall settings. I doubt if that's the problem but I'm getting
desperate! I'll also try Google again but all I seem to get is my own
messages on Usenet. <sigh>

Ken

https://ask.wireshark.org/questions/2387/ssdp-traffic

"SSDP (Simple Service Discovery protocol) is a part of UPnP
(Universal Plug and Play).

It is normal traffic for all UPnP enabled devices in your LAN.

Each device will send out a group of NOTIFY packets every
15 minutes or so while UPnP is enabled.

Many devices will also periodically send out M-SEARCH packets,
which are usually followed by response HTTP packets.
"

It's as if the Iptimax server wants to be found, and so it is
participating in UPNP ? Do you see SSDP mentioned in that
entry in Wireshark ?

Remember that you're looking at about five transactions at
once in that Wireshark trace. I don't think it's a coincidence
that they all happen at once, as if some program on your computer
(Xnews) is poking something.

When I run Thunderbird for NNTP here, there would be some DNS activity
(both to populate the Wireshark trace with names, as well as
DNS to find the E-S news server). As well as the NNTP protocol
to the INN server at E-S. And the analysis is pretty straight-forward,
as I'm using port 119, everything (username and password too)
are in plaintext, and each response uses standard numbers
(like "200" when first contacting the server). The administrator
on the INN server, can change the associated text message that
travels with the number. On some servers, this leads to user
confusion, such as when AIOE sends a terse "Banlist" message.
When it could just as easily have explained "Group closed to posting"
as a response. Looking up the number part, the "200" thing,
can help you "decode" terse custom responses like "Banlist".
You can look up the official definition of the number, to
see what it might mean.

I don't usually get routing traffic, as I tend to disable
IPV6 on OSes here. (There are a couple ways to prevent IPV6
activities, and one of them damages things, so you have to
be careful to do the background research before hammering
stuff.) I had to turn off the router in my ADSL modem/router
box, because it was being a pain with all the extra traffic
and flashing LED activity. That was related to IPV6. The separate
router box I use, just does IPV4, and that box is "quiet" when
the LAN is quiet. Some day I'll have to turn some of this stuff
back on, as IPV6 will soon be mandatory. We're close to exhaustion
and networking failures via IPV4. And it's possible that on
the Internet side of my setup, I'll need to run IPV6 again.
Even if the router does 6to4 to deal with my LAN side.
"Pauls head will explode" if he has to deal with IPV6 on
the home LAN...

Paul

 

[KenK]

https://ask.wireshark.org/questions/2387/ssdp-traffic

"SSDP (Simple Service Discovery protocol) is a part of UPnP
(Universal Plug and Play).

It is normal traffic for all UPnP enabled devices in your LAN.

Each device will send out a group of NOTIFY packets every
15 minutes or so while UPnP is enabled.

Many devices will also periodically send out M-SEARCH packets,
which are usually followed by response HTTP packets.
"

It's as if the Iptimax server wants to be found, and so it is
participating in UPNP ? Do you see SSDP mentioned in that
entry in Wireshark ?
No.

Remember that you're looking at about five transactions at
once in that Wireshark trace. I don't think it's a coincidence
that they all happen at once, as if some program on your computer
(Xnews) is poking something.

This was a Thunderbird trace, not Xnews, if it matters.

When I run Thunderbird for NNTP here, there would be some DNS activity
(both to populate the Wireshark trace with names, as well as
DNS to find the E-S news server). As well as the NNTP protocol
to the INN server at E-S. And the analysis is pretty straight-forward,
as I'm using port 119, everything (username and password too)
are in plaintext, and each response uses standard numbers
(like "200" when first contacting the server). The administrator
on the INN server, can change the associated text message that
travels with the number. On some servers, this leads to user
confusion, such as when AIOE sends a terse "Banlist" message.
When it could just as easily have explained "Group closed to posting"
as a response. Looking up the number part, the "200" thing,
can help you "decode" terse custom responses like "Banlist".
You can look up the official definition of the number, to
see what it might mean.

I don't usually get routing traffic, as I tend to disable
IPV6 on OSes here. (There are a couple ways to prevent IPV6
activities, and one of them damages things, so you have to
be careful to do the background research before hammering
stuff.) I had to turn off the router in my ADSL modem/router
box, because it was being a pain with all the extra traffic
and flashing LED activity. That was related to IPV6. The separate
router box I use, just does IPV4, and that box is "quiet" when
the LAN is quiet. Some day I'll have to turn some of this stuff
back on, as IPV6 will soon be mandatory. We're close to exhaustion
and networking failures via IPV4. And it's possible that on
the Internet side of my setup, I'll need to run IPV6 again.
Even if the router does 6to4 to deal with my LAN side.
"Pauls head will explode" if he has to deal with IPV6 on
the home LAN...

Paul

I'm going to read this carefully later.

Ken

 

[KenK]

Today I'm going to look at the Windows and Kaspersky Internet Security
2015 firewall settings.

Checked Kaspersky 2015 firewall. It has Xananews and especially Xnews under
a Low Restricted setting. These are the only aps there. From what I can
gather this shouldn't be causing my problem. But I do not have Kaspersky on
the machine that runs newsreaders ok. However, Thunderbird isn't mentioned
in the Kaspersky firewall files and it doesn't work either so that's maybe
not the problem?

Ken

 

[Nil]

Turned off Windows firewall. No help so turned it back on. Having
a problem finding Kaspersky firewall settings. Next will try
Google.

You should never have two firewalls running at the same time. If you
have Kapersky's firewall, turn off Windows' and leave it off.

Try turning off all firewalls temporarily and see if that relieves the
problem.

 

[Paul]

Checked Kaspersky 2015 firewall. It has Xananews and especially Xnews under
a Low Restricted setting. These are the only aps there. From what I can
gather this shouldn't be causing my problem. But I do not have Kaspersky on
the machine that runs newsreaders ok. However, Thunderbird isn't mentioned
in the Kaspersky firewall files and it doesn't work either so that's maybe
not the problem?

Ken

If you want to present any more packet traces, you
can put them on pastebin.com . That's a site for passing
text files to people. Same rules as before - clear the
Wireshark display, start it running, collect a short trace.
Try to turn on the Name Resolution fields under View, so
the trace uses symbolic names.

After pasting into pastebin.com , collect the generated
URL and you can use that as a reference when posting.

Make sure there are no occurrences of USER or PASS with
your account username or password in the text file, before
posting. If you're working with port 119, they'll be in
the trace.

Paul

 

[KenK]

Checked Kaspersky 2015 firewall. It has Xananews and especially Xnews
under a Low Restricted setting. These are the only aps there. From
what I can gather this shouldn't be causing my problem. But I do not
have Kaspersky on the machine that runs newsreaders ok. However,
Thunderbird isn't mentioned in the Kaspersky firewall files and it
doesn't work either so that's maybe not the problem?

Ken

Made a mistake as usual. When I looked for Thunderbird in Kaspersky
firewall list I missed entry for Mozilla, which it lists as accepted. So
if T-bird doesn't work, as it doesn't, then the Kaspersky firewall is not
the problem.

New grist for the mill:

To check for a port 119 problem, someone told me to use Xnews on

news.sff.net port 1119

I did and it worked perfectly. Then I turned off Xnews, turned it back on
- several times - and the sff news server no longer works, just like
Individual and Optimax. Wonder why it worked once? Just like Xnews worked
once on all news servers a few days ago. Weirder and weirder.

A clue?

TIA

Ken

 

[KenK]

You should never have two firewalls running at the same time.

Haven't caused a problem in many many years that I know of.

If you
have Kapersky's firewall, turn off Windows' and leave it off.

Try turning off all firewalls temporarily and see if that relieves the
problem.

Kaspersky firewall accepts Mozxilla stuff so T-bird should not be
affected.

I don't know how to turn off Kaspersky firewall. I'd also like to turn
off Kaspersky entirely temporily to see if it helps but don't know how.
Neither is obvious. Back to Google to try to find out.

 

[Paul]

Made a mistake as usual. When I looked for Thunderbird in Kaspersky
firewall list I missed entry for Mozilla, which it lists as accepted. So
if T-bird doesn't work, as it doesn't, then the Kaspersky firewall is not
the problem.

New grist for the mill:

To check for a port 119 problem, someone told me to use Xnews on

news.sff.net port 1119

I did and it worked perfectly. Then I turned off Xnews, turned it back on
- several times - and the sff news server no longer works, just like
Individual and Optimax. Wonder why it worked once? Just like Xnews worked
once on all news servers a few days ago. Weirder and weirder.

A clue?

TIA

Ken

Good detective work.

The fact port 1119 is blocked, suggests the same mechanism that
is used to block email relays. If the ISP uses a Deep Packet
Inspection box (DPI), they can watch for particular protocols
and block them.

If you wait a while (more than fifteen minutes), it's just possible
1119 will work for a short time again. Then stop working.

Someone tested email relays on our ISP here. And they
described how the DPI box would notice the attempt to relay
on other than port 25? or whatever it is. And the DPI box would
"block" that port for fifteen minutes (even if you ran a
different protocol on the port, it remained blocked). Or, until
you attempted to relay again. So if you attempted to email relay
on Port 80 (as if you were running a web server), it would still
recognize the cogent parts of emailing, and stop the transaction.

I'm sure there are other explanations. If port 1119 worked forever,
or 1119 was blocked forever, we'd have to find another
explanation. But if port 1119 "flaps in the breeze", that
hints the DPI box at the ISP is involved. If it works sometimes
and not others, and if Wireshark is not showing any duplicate
packets, that might be it.

My ISP even took to (accidentally) blocking web sites with the
DPI box. The symptoms, are a lot more RST responses than normal.
How web sites are blocked, is as follows


ISP ------- RST() ----->
<---- RST()----

Like a Man in the Middle (MITM), the ISP sends RST responses,
fooling both ends into thinking there is a congestion problem.
And causing both ends to drop the connection. And it's all made
possible by DPI boxes. It took the idiots at my ISP *three months*
to figure out the mistake and stop doing that. The symptoms
were not perfectly consistent, but I refuse to believe every
major web site (Google) could not be reached at the same time.

Do not expect entry-level Tech Support at the ISP to admit
to this. You can counter any answer they might attempt to
give, by pointing out that any good ISP needs a DPI box,
just to block email relays. Using a DPI box, automates
the whole process, so no human operator is directly involved.
Escalate to the next level of support, or to a manager, if
the explanations are "too dumb for words".

So wait an hour, and carefully do your port 1119 test again.
My expectation is, it'll work for a short time. The DPI box
can't block the port forever, because some other protocol
might use that port number.

Paul

 

[Nil]

Haven't caused a problem in many many years that I know of.

They are redundant and will be working at cross-purposes, and you will
need to maintain the rules in both. You may be experiencing a problem
right now.

Usually, when you install a third-party firewall, Windows is smart
enough to shut off its built in one. You must have intentionally turned
it back on.

Kaspersky firewall accepts Mozxilla stuff so T-bird should not be
affected.

Not necessarily.

I don't know how to turn off Kaspersky firewall. I'd also like to
turn off Kaspersky entirely temporily to see if it helps but don't
know how. Neither is obvious. Back to Google to try to find out.

I'm surprised you haven't done that already. It should have been one of
your first troubleshooting steps.

http://www.google.com/search?q=how+to+disable+kaspersky+firewall

 

[KenK]

They are redundant and will be working at cross-purposes, and you will
need to maintain the rules in both. You may be experiencing a problem
right now.

Usually, when you install a third-party firewall, Windows is smart
enough to shut off its built in one. You must have intentionally turned
it back on.


Not necessarily.


I'm surprised you haven't done that already. It should have been one of
your first troubleshooting steps.

http://www.google.com/search?q=how+to+disable+kaspersky+firewall

Turned off Windows and Kaspersky firewalls. Xnews still doesn't work.
Turned Kaspersky's back on, left Windows' off.

 

[KenK]

The fact port 1119 is blocked, suggests the same mechanism that
is used to block email relays. If the ISP uses a Deep Packet
Inspection box (DPI), they can watch for particular protocols
and block them.

Some days back I tried the faulty emachine and Xnews on the Sitestar ISP's
dial-up connection instead of CenturyLink's DSL. Made no difference. Still
didn't work. The backup system with Xnews still works fine, as you can see,
with the Sitestar dial-up.

If you wait a while (more than fifteen minutes), it's just possible
1119 will work for a short time again. Then stop working.

Someone tested email relays on our ISP here. And they
described how the DPI box would notice the attempt to relay
on other than port 25? or whatever it is. And the DPI box would
"block" that port for fifteen minutes (even if you ran a
different protocol on the port, it remained blocked). Or, until
you attempted to relay again. So if you attempted to email relay
on Port 80 (as if you were running a web server), it would still
recognize the cogent parts of emailing, and stop the transaction.

I'm sure there are other explanations. If port 1119 worked forever,
or 1119 was blocked forever, we'd have to find another
explanation. But if port 1119 "flaps in the breeze", that
hints the DPI box at the ISP is involved. If it works sometimes
and not others, and if Wireshark is not showing any duplicate
packets, that might be it.

Nope. I must have been unclear. It (port 1119 server) only worked once,
when I first tried it. Since then I've tried Xnews often and it no longer
works. In fact, Xnews worked again this morning when I turned on emachine.
Second time this has happened. EXCEPT the port 1119 SERVER! The two 119
port news servers worked. Updated group files (newscr files - these work
fine as I'm using them right now on backup system). As happened last time,
then Xnews failed repeatedly again. Wonder why it does this?

Something else. I just looked and I'm running Optimax server on port 0 on
this backup machine! Individual net on port 119. I have not tried the port
1119 server on this machine.

My ISP even took to (accidentally) blocking web sites with the
DPI box. The symptoms, are a lot more RST responses than normal.
How web sites are blocked, is as follows


ISP ------- RST() ----->
<---- RST()----

Like a Man in the Middle (MITM), the ISP sends RST responses,
fooling both ends into thinking there is a congestion problem.
And causing both ends to drop the connection. And it's all made
possible by DPI boxes. It took the idiots at my ISP *three months*
to figure out the mistake and stop doing that. The symptoms
were not perfectly consistent, but I refuse to believe every
major web site (Google) could not be reached at the same time.

Do not expect entry-level Tech Support at the ISP to admit
to this. You can counter any answer they might attempt to
give, by pointing out that any good ISP needs a DPI box,
just to block email relays. Using a DPI box, automates
the whole process, so no human operator is directly involved.
Escalate to the next level of support, or to a manager, if
the explanations are "too dumb for words".

So wait an hour, and carefully do your port 1119 test again.
My expectation is, it'll work for a short time. The DPI box
can't block the port forever, because some other protocol
might use that port number.

See earlier response. It only worked once, didn't every time since.

Paul

I think I told you I turned off Kaspersky's and Windows' firewalls
yesterday on the emachine and tried Xnews. No help. Turned Kaspersky's
firewall back on, left Windows' off.

Ken