[Spam] Comcast reporting spam from my IP

Author	All Replies
koitsu Premium join:2002-07-16 Mountain View, CA edit: September 3rd, @05:54AM	[Spam] Comcast reporting spam from my IP Comcast picked the wrong person to send the below notification to. I'm a UNIX administrator who is quite familiar with SMTP. Dear Comcast Subscriber: ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. For your own protection and that of other Comcast customers, we have taken steps to prevent further transmission of spam from your computer(s). Comcast.Net WebMail Users If you use a web browser to access your email, this change will not affect your service. However, it is important that you take steps to remove the virus and secure your computer(s). This can be done by using the FREE McAfee Antivirus and Firewall software available from Comcast on the [2]Comcast Security Channel or by using other popular antivirus solutions that are widely available. Third-Party Mail Client Users (Outlook, Outlook Express, etc.) If you use Outlook Express, the steps we have taken to protect the Comcast network will not allow you to send email until you apply a simple one click fix available at [3]http://www.comcastsupport.com/alternateport. While this will restore your ability to send mail it is still important to remove any possible viruses from your computer. This can be done by using the McAfee Antivirus and Firewall software (offered to Comcast.net subscribers at no additional charge) available from Comcast on the [4]Comcast Security Channel or by using other popular antivirus solutions that are widely available. Note: this one click fix currently only works with Internet Explorer. If you use a different browser, please click [5]here for steps to manually change your port. If you are using a third-party client other than Outlook Express (Outlook, Eudora, Thunderbird, etc.), please click [6]here for instructions. Comcast is focused on providing a secure internet experience for all of our customers. Please visit the [7]Comcast Security Channel regularly to stay up to date with the latest security threats, products, and services If you have additional questions please visit ([8]www.comcast.net/help). Thank you for choosing Comcast! Sincerely, Comcast Customer Security Assurance Border Bottom © 2008 Comcast \| [9]Privacy Statement References 1. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18 2. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18 3. http://www.comcastsupport.com/alternateport 4. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18 5. http://www.comcastsupport.com/tb25 6. http://www.comcastsupport.com/tb25 7. http://security.comcast.net/?cid=NET_33_4 8. http://www.comcastsupport.com/tb25/helpsite.asp 9. http://www.comcast.net/privacy/ This mail tells me absolutely jack squat regarding technical details of what supposedly happened. Can I receive a copy of the supposed spam I sent? Nope. And the comcastsupport.com links above are timing out (looks like a webserver issue of some kind; HTTP request is accepted, but the GET request sits there indefinitely. Probably wedged/broken IIS boxes (I see .asp in the URLs!)) The only machine that sends mail -- through Comcast (smtp.comcast.net TCP port 25) -- is my FreeBSD box running postfix. It does not listen on a TCP port, is NAT'd, and there is no public/WAN port forward to it. My postfix transport mapping: # External delivery # ================= # This goes through Comcast's mail server. * smtp:[smtp.comcast.net] I cannot/will not use SMTP AUTH when connecting to a mail server, because postfix (as a client) cannot support SMTP AUTH without Cyrus SASL -- software I do not want anywhere near any machine I administrate. Comcast has indeed applied an ACL blocking my ability to reach smtp.comcast.net on TCP port 25. The below telnet comes from my FreeBSD box at home (e.g. from Comcast's viewpoint they'd see the request come from my WAN IP): $ telnet smtp.comcast.net 25 Trying 76.96.62.117... ^C TCP port 587 works fine: $ telnet smtp.comcast.net 587 Trying 76.96.62.117... Connected to smtp.g.comcast.net. Escape character is '^]'. 220 OMTA10.westchester.pa.mail.comcast.net comcast ESMTP server ready ^] telnet> close I'm likely going to try switching the postfix transport mapping over to use port 587, but I'm not sure if this will work -- if my memory serves me correctly, Comcast requires SMTP AUTH on 587. And I still want a copy of the supposed spam that came from my IP. -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · · 2008-09-03 05:53:43 ·
koitsu Premium join:2002-07-16 Mountain View, CA	Yup, Comcast's mail servers require SMTP AUTH on port 587: Sep 3 02:56:07 icarus postfix/qmgr[883]: EDB0C17B81A: from=<jdc@icarus.home.lan>, size=717, nrcpt=1 (queue active) Sep 3 02:56:08 icarus postfix/smtp[31856]: EDB0C17B81A: to=<user@domain.com>, relay=smtp.comcast.net[76.96.62.117]:587, delay=0.63, delays=0.01/0/0.47/0.15, dsn=5.1.0, status=bounced (host smtp.comcast.net[76.96.62.117] said: 550 5.1.0 Authentication required (in reply to MAIL FROM command)) -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · · 2008-09-03 05:57:42 ·
K Patterson Premium,MVM join:2006-03-12 Columbus, OH	reply to koitsu You won't get a copy because Comcast doesn't have one. Think about the consequences for Comcast if they captured anybody's email for any purpose.
	to forum · permalink · · 2008-09-03 07:24:19 ·
Cabal Premium join:2007-01-21 Boston, MA	reply to koitsu They use the same notice for both spam and when they detect a large number of messages sent during a given period of time. It was probably the latter. You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where. -- Interested in open source engine management for your Subaru?
	to forum · permalink · · 2008-09-03 07:37:14 ·
CleanGene Premium join:2008-04-09 Manassas, VA	said by Cabal : You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where. Quite. My understanding (and someone will surely correct me if I'm wrong) is that the initial block can be lifted without much hassle. However, if abuse is detected again and the block is re-enabled, it will be permanent, and no amount of pleading will remove it.
	to forum · permalink · · 2008-09-03 08:26:41 ·
koitsu Premium join:2002-07-16 Mountain View, CA edit: September 3rd, @08:50AM	said by CleanGene : said by Cabal : You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where. Quite. My understanding (and someone will surely correct me if I'm wrong) is that the initial block can be lifted without much hassle. However, if abuse is detected again and the block is re-enabled, it will be permanent, and no amount of pleading will remove it. Which means I'm not going to ask that the block be removed until Comcast provide me some evidence of said "spamming" or "mass mailing" (which isn't happening either -- I keep a very close eye on my SMTP logs). I want a Message ID, queue ID, Subject line, timestamp of the mail, or SOMETHING I can key off of. Basically, Comcast needs to show me evidence of said problem before I'll believe there is one. Based upon their own web page with the "alternateport" option, it appears to me this is a very common problem.
	to forum · permalink · · 2008-09-03 08:50:15 ·
rugby I think I know it all. VIP join:2000-09-26 Camby, IN ·Callcentric ·Comcast ·ViaTalk ·AT&T Yahoo ·Nuvio	I had the same thing happen to me with my Asterisk PBX and sending out voicemails. Comcast tagged those emails as spam and they just stopped going out one day. The bad part was that I wasn't checking my comcast.net email account so I never knew it was blocking them for a few days when people started emailing me asking why I wasn't returning their messages.
	to forum · permalink · · 2008-09-03 09:19:31 ·
koitsu Premium join:2002-07-16 Mountain View, CA	said by rugby : I had the same thing happen to me with my Asterisk PBX and sending out voicemails. Comcast tagged those emails as spam and they just stopped going out one day. The bad part was that I wasn't checking my comcast.net email account so I never knew it was blocking them for a few days when people started emailing me asking why I wasn't returning their messages. Interesting. I don't use VoIP or any form of local PBX, so in my case, that rules that option out.
	to forum · permalink · · 2008-09-03 09:26:56 ·
koitsu Premium join:2002-07-16 Mountain View, CA	reply to Cabal said by Cabal : They use the same notice for both spam and when they detect a large number of messages sent during a given period of time. It was probably the latter. You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where. Do you feel this constitutes as a "large number of messages"? Note that the numbers are within a 24 hour period. (06:36:00 jdc@icarus) /var/log $ for i in maillog; do ls -l $i; echo -n "Mail sent in above log: " ; bzgrep -c 'relay=smtp.comcast.net.mail accepted for delivery' $i; done -rw-r----- 1 root wheel 76376 3 Sep 06:28 maillog Mail sent in above log: 3 -rw-r----- 1 root wheel 16064 3 Sep 00:00 maillog.0.bz2 Mail sent in above log: 11 -rw-r----- 1 root wheel 16649 2 Sep 00:00 maillog.1.bz2 Mail sent in above log: 31 -rw-r----- 1 root wheel 11853 1 Sep 00:00 maillog.2.bz2 Mail sent in above log: 5 -rw-r----- 1 root wheel 11102 31 Aug 00:00 maillog.3.bz2 Mail sent in above log: 13 -rw-r----- 1 root wheel 13623 30 Aug 00:00 maillog.4.bz2 Mail sent in above log: 12 -rw-r----- 1 root wheel 14918 29 Aug 00:00 maillog.5.bz2 Mail sent in above log: 4 -rw-r----- 1 root wheel 18511 28 Aug 00:00 maillog.6.bz2 Mail sent in above log: 14 -rw-r----- 1 root wheel 16669 27 Aug 00:00 maillog.7.bz2 Mail sent in above log: 25 I'm on hold now with their Abuse department to see if someone knows. The general Tier 1 support folk told me it happens for the reasons you described here, but were unable to tell me what circumstances triggered said issue. After that, they tried to "sell me" on using SMTP AUTH and port 587, to which I asked "Was my use of port 25 the reason for the block?" "No, it definitely wasn't, let me get you over to Abuse so they can get logs for you". I'm still trying to wrap my brain around why SMTP AUTH is required for sending mail through their mail servers on port 587. Internet folks (non-Comcast customers) cannot connect to Comcast's outbound mail servers, and Comcast will always know who sent mail through their servers based on IP number, so I'm baffled at the purpose. If anything, I'm willing to bet it's a miserable attempt to curb spam (running under the assumption that spambots and malware which send spam do not understand how to use SMTP AUTH, and don't have username/password credentials). It's the sign of an ISP who doesn't quite understand the problem...
	to forum · permalink · · 2008-09-03 09:41:24 ·
bigchris Do Not Shoot The Messenger Premium join:2002-04-29 Leesburg, VA ·Vonage edit: September 3rd, @10:07AM	said by koitsu : I'm still trying to wrap my brain around why SMTP AUTH is required for sending mail through their mail servers on port 587. Internet folks (non-Comcast customers) cannot connect to Comcast's outbound mail servers, and Comcast will always know who sent mail through their servers based on IP number, so I'm baffled at the purpose. It's really simple. You need to authenticate to send and to do that you need a valid comcast.net ID and you need to know the password. Plus it'll work on and off the comcast network so for those people that travel with laptops it's a win win. Edit: Since your are familiar with the SMTP protocol, you must also know that the RFCs state 587 requires authentication whereas 25 doesn't, but it supposed to be used only between MTAs whereas 587 is a client submission port.
	to forum · permalink · · 2008-09-03 10:05:16 ·
just4info join:2001-11-13 Rockville, MD	reply to koitsu If you have other PCs running on your network, you may want to check if there is anything running on those that may send bulk emails directly without going through your freebsd box. A friend of mine received the same email and found out he had some unwanted program hijacked one of his PCs to send mails. I'm not suggesting your PC is having virus. But I guess that is what comcast support would ask you to check anyway.
	to forum · permalink · · 2008-09-03 10:08:10 ·
koitsu Premium join:2002-07-16 Mountain View, CA	said by just4info : If you have other PCs running on your network, you may want to check if there is anything running on those that may send bulk emails directly without going through your freebsd box. A friend of mine received the same email and found out he had some unwanted program hijacked one of his PCs to send mails. I'm not suggesting your PC is having virus. But I guess that is what comcast support would ask you to check anyway. Such isn't the case. I have outbound ACLs applied on my gateway (router), which do not permit any outbound packets to TCP ports 25, 110, 465, 587, and 993. The ACL allows a single IP address on my LAN -- the above FreeBSD box running postfix -- to send outbound packets to any of those ports. Meaning: let's say I have a wireless network and someone somehow compromises it, gaining access to my local network, and that person uses a computer that sends out spam or has viruses of some kind. There's absolutely no way this would work due to the ACL. If they configured their mail client to use my local FreeBSD box as their SMTP server, that would work -- however, I'd have evidence of it in my SMTP logs, which I do not. To my knowledge, there are no viruses or malware applications that can affect FreeBSD, and the machine is definitely not compromised (I rebuilt world/kernel literally last night).
	to forum · permalink · · 2008-09-03 10:14:08 ·
koitsu Premium join:2002-07-16 Mountain View, CA	reply to bigchris said by bigchris : said by koitsu : I'm still trying to wrap my brain around why SMTP AUTH is required for sending mail through their mail servers on port 587. Internet folks (non-Comcast customers) cannot connect to Comcast's outbound mail servers, and Comcast will always know who sent mail through their servers based on IP number, so I'm baffled at the purpose. It's really simple. You need to authenticate to send and to do that you need a valid comcast.net ID and you need to know the password. Plus it'll work on and off the comcast network so for those people that travel with laptops it's a win win. Ah ha! That explains it! Thanks for cluing me in here. I was under the impression Comcast only permits Comcast IPs to connect to smtp.comcast.net (regardless of port #). That is obviously not the case. The below telnets were done from our co-located servers: $ telnet smtp.comcast.net 25 Trying 76.96.30.117... Connected to smtp.g.comcast.net. Escape character is '^]'. 220 OMTA10.emeryville.ca.mail.comcast.net comcast ESMTP server ready QUIT 221 2.0.0 OMTA10.emeryville.ca.mail.comcast.net comcast closing connection Connection closed by foreign host. $ telnet smtp.comcast.net 587 Trying 76.96.30.117... Connected to smtp.g.comcast.net. Escape character is '^]'. ^] telnet> close Connection closed. What I'm saying: if Comcast provided customer-only (e.g. you must be on the Comcast IP network to use these) SMTP servers, they wouldn't need SMTP AUTH for said clients. Edit: Since your are familiar with the SMTP protocol, you must also know that the RFCs state 587 requires authentication whereas 25 doesn't, but it supposed to be used only between MTAs whereas 587 is a client submission port. Bzzt. Read the RFC yourself, Sections 6.1 through 6.4 -- specifically, the use of the word MAY. Meaning: requiring authentication on port 587 is optional. It's entirely up to the mail server administrator. By default most mail servers (postfix, exim, sendmail) require SMTP AUTH, but you simply change the said flag to "no" and voila, it acts just like port 25.
	to forum · permalink · · 2008-09-03 10:22:38 ·
bigchris Do Not Shoot The Messenger Premium join:2002-04-29 Leesburg, VA ·Vonage	said by koitsu : Ah ha! That explains it! Thanks for cluing me in here. I was under the impression Comcast only permits Comcast IPs to connect to smtp.comcast.net (regardless of port #). That is obviously not the case. The below telnets were done from our co-located servers: What I'm saying: if Comcast provided customer-only (e.g. you must be on the Comcast IP network to use these) SMTP servers, they wouldn't need SMTP AUTH for said clients. Edit: Since your are familiar with the SMTP protocol, you must also know that the RFCs state 587 requires authentication whereas 25 doesn't, but it supposed to be used only between MTAs whereas 587 is a client submission port. Bzzt. Read the RFC yourself, Sections 6.1 through 6.4 -- specifically, the use of the word MAY. Meaning: requiring authentication on port 587 is optional. It's entirely up to the mail server administrator. By default most mail servers (postfix, exim, sendmail) require SMTP AUTH, but you simply change the said flag to "no" and voila, it acts just like port 25. And if you look at the ISPs you are going to find nearly all of them require AUTH on 587. The RFC was written to provide the option since it's intended to move mail clients away from using port 25, but, most implementations are using it also as a way to authenticate. As to your other point of Comcast IP only SMTP servers, that doesn't help with bot'd computers, hence the requirement to authenticate which takes out large numbers of abusive connections i.e. spam.
	to forum · permalink · · 2008-09-03 10:50:36 ·
koitsu Premium join:2002-07-16 Mountain View, CA edit: September 3rd, @11:31AM	reply to koitsu Okay, so I just got off the phone with their Abuse folks (about a 30 minute conversation). They were slightly helpful, and very rigid to talk to (no surprise there, I've worked at many ISPs in my life and Abuse requires very stern, borderline cold personalities). First thing first: Comcast will not provide me any logs or extensive technical details regarding what actually triggered the event. They specifically reserve the right to not hand that information over to you. I worked at Hotmail, so I know this rule quite well. Second: the Abuse rep. told me the exact same thing Tier 1 and Cabal did -- there's a series of things that can trigger the block. Compromised machines on the network sending malicious packets with a destination port of 25, reports of malicious activity or spamming/malware distribution, or massive amounts of mail being sent within a 24 hour period. Third: the rep was kind enough to disclose two pieces of information: 1) the incident occurred on September 2nd, and 2) the "modem level block" was put in place as a result of an Internet or Comcast user reporting that my IP was sending spam. The first thing I did was check my modem logs to see if there was anything suspicious there. I found the following: 2008-09-02 23:54:166-NoticeM573.0Modem Is Shutting Down and Rebooting... 2008-09-02 23:54:163-CriticalÔ7954.20Resetting the cable modem due to docsDevResetNow I believe this is the timestamp of when Comcast put the modem level block for port 25 in place. Next, I went through my SMTP logs for the 2nd, and all of my outbound mail through smtp.comcast.net:25 was to FreeBSD developer mailing lists -- there was nothing odd or unsolicited. I discussed this fact with the rep., who then tried to divert focus. "The block can also happen if you send out mails to more than 1000 recipients in the course of 24 hours. You said you sent 11 mails, but how many recipients?" Grepping logs showed that of those 11 mails I sent, they were sent to a total of 11 unique addresses. Remember, these are mail server logs; if I was to send a single mail with 500 people in the CC list, the mail server log would show all of those 500 unique addresses. Next, the rep. and I went round and round for a bit about this whole thing. Eventually he settled on trying to convince me that I should change my postfix configuration over to use port 587. This completely confused me, and here's why: I was told not more than 10 minutes prior that the reason the block was put in place was because of someone reporting to Comcast that I sent spam. So I asked him, "Does the port number I use for my outbound mail on smtp.comcast.net influence how you handle reports of spam? Because to me, spam is spam, regardless of what SMTP port it was sent through". Shockingly, I was told point blank: yes, Comcast does in fact care what port number you use for your outbound mail, and they also care if you already have a block put up on port 25 (implying that by having that block in place, Comcast is more lax with you -- really!). Without getting into the semantics, the rep more or less disclosed that Comcast is significantly less anal about what is considered spam if the customer is using port 587. He also added "You seem awfully familiar with the SMTP protocol", which is when I explained I'm a UNIX administrator of 15+ years, so it's part of my job to be familiar. The logic here baffles my mind. funchords would have a field day with this. That said, I reluctantly agreed to get my postfix configuration working with port 587 (which means I am going to have to install Cyrus SASL. Grrrrrr...). Upon mentioning that, the rep. told me "Oh, by the way, we also have port 465 open, which is SMTP over SSL". I also told him to keep the port 25 block in place, as there really isn't any point in removing the block, since it sounds like Comcast "tags" you as a higher risk person (somehow) if you're using that port vs. 587. Port 465 may be what I go with, but ultimately depends on whether or not it requires SMTP AUTH. If so, then 465 or 587 -- doesn't matter. If not, awesome, problem solved! EDIT: Port 465 (which with postfix requires stunnel) also requires SMTP AUTH. Bummer. So back to the logs I went, trying to figure out what happened... Lo and behold, I found the very last Email I sent that evening (dated September 2nd, 21:23:49 PDT), which I personally sent to an individual who was more or less anti-Comcast trolling (referring to Comcast users as "Joe Six-packs") on the ISOTF Outages mailing list, somehow thinking Cox filtering ICMP packets had something to do with Comcast. The mail I sent pointed out the mistakes in his bizarre argument. I speculate what actually happened is said individual forwarded my mail to Comcast Abuse as a form of retaliation, which Abuse handled identically to a spam complaint. It's the only thing I sent that even remotely could get Comcast Abuse involved. Purely speculative, but it's all I have to go on at this point. EDIT: I just received a mail from said ISOTF mailing list individual; he was incredibly apologetic for his initial mail to me and odd/awkward claims. I'm completely out of ideas. Comcast's reluctance to work with me to track down their claim is disheartening. :-( Regardless, I've got postfix up and working using Cyrus SASL + SMTP AUTH against smtp.comcast.net:587. Here's to hoping they don't block that... -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · · 2008-09-03 10:56:42 ·
goahead join:2008-09-03	While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.
	to forum · permalink · · 2008-09-03 11:24:58 ·
koitsu Premium join:2002-07-16 Mountain View, CA	said by goahead : While I agree its silly what they did, the first two sentences in yor post are terribly self-centered. Thanks for the constructive criticism; I'll take it into mind.
	to forum · permalink · · 2008-09-03 11:28:44 ·
bigchris Do Not Shoot The Messenger Premium join:2002-04-29 Leesburg, VA ·Vonage	reply to koitsu Comcast will not provide you the logs or evidence of why you were blocked. Having worked at hotmail you can understand why, it's not only an issue of storing private information but also a question of subscriber base size. It would simply be impossible to provide that evidence for the size of user-base. Comcast treat spam over any port with equal distaste, despite what the abuse rep said. However, with port 25 being open with no AUTH requirement it's significantly easier for a spammer to utilize that port rather than 587 or 465. The reason is obvious and it's that they need to know a valid username and password which requires a lot more work on their end. Finally, you are probably right in the cause of the block. i.e. you were reported as sending spam. Just move to 587 with AUTH (or 465 AUTH and SSL if you can).
	to forum · permalink · · 2008-09-03 11:40:48 ·
goahead join:2008-09-03	reply to koitsu said by koitsu : said by goahead : While I agree its silly what they did, the first two sentences in yor post are terribly self-centered. Thanks for the constructive criticism; I'll take it into mind. :) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge.
	to forum · permalink · · 2008-09-03 11:46:18 ·
koitsu Premium join:2002-07-16 Mountain View, CA	said by goahead : said by koitsu : said by goahead : While I agree its silly what they did, the first two sentences in yor post are terribly self-centered. Thanks for the constructive criticism; I'll take it into mind. :) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge. I didn't take it as an insult, and didn't intend my reply to be of a snarky nature either. (I really was serious when I said thanks for the constructive criticism!)
	to forum · permalink · · 2008-09-03 12:31:17 ·


Tuesday, 02-Dec 07:21:30	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF