[Spam] Comcast reporting spam from my IP in Comcast HSI

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 18:41:39 EDT

KookyMan : The sad thing Koitsu, if you push that by providing logs of your mail server/etc, they will probably crack on you for running a mail server since that's "obviously not consumer use" (despite the fact that us geeks DO use servers in our residential environment.) Yes, I know its semantics since they aren't "public" servers, but you get what I'm prodding at.

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 11:52:23 EDT

koitsu :

said by bigchris :

Koitsu, I said your speculations weren't accurate, I didn't say that the Abuse dept lied to you.

We will not block your port 587 or 465. You need to authenticate to use those ports so in effect you are saying it's you that sent the mail.

Now if it turns out you have or ever are trojan'd and we deem it significant enough to warn you, we'll contact you directly via the phone. We've done this in the past many times when it's clear a customer has a serious problem.

Can we end this now please?

No, because this just induces even more questions.

What you're telling me in the above paragraphs is essentially the following: "if you use SMTP AUTH to authenticate yourself with our mail servers, regardless of port #, then we won't block you".

None of this explains what caused Comcast to 1) suddenly block outbound TCP port 25, and 2) tell me that I sent spam through their mail servers on September 2nd.

Why did Comcast not simply send me an Email stating "we see you are using smtp.comcast.net port 25 without authentication. You need to use authentication to utilise our mail servers. To force you into doing that, we've put up a block on port 25. You'll need to use ports 587 or 465, which require authentication, from this point on"?

Why did the Support (not Abuse) rep. I spoke to not tell me that? Why didn't the Abuse rep. tell me that?

Finally: yes, of course I "sent the mail", if by "sent the mail" you mean the 11 I sent on September 2nd. I already admitted to sending all 11 of those (non-spam) mails, through smtp.comcast.net:25. I'm telling you flat out, NONE of those mails are spam. I can gladly send you, or any other Comcast rep., all 11 of those mails, as well as all 11 log entries in my mailserver, and you can cross-reference the timestamps and the mail queue IDs. Like I said, *I* have evidence/proof that I did not send any spam, but Comcast is not willing to work with me to try and figure out what really happened.

Or was what I was told (re: "you sent spam") a lie, and it was really just an attempt to get me to use SMTP AUTH? If so, no problem -- just say that!

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 11:38:10 EDT

bigchris : Koitsu, I said your speculations weren't accurate, I didn't say that the Abuse dept lied to you.

We will not block your port 587 or 465. You need to authenticate to use those ports so in effect you are saying it's you that sent the mail.

Now if it turns out you have or ever are trojan'd and we deem it significant enough to warn you, we'll contact you directly via the phone. We've done this in the past many times when it's clear a customer has a serious problem.

Can we end this now please?

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 10:36:26 EDT

koitsu :

said by bigchris :

Koitsu, Funchords, I didn't want to let this sit and become gospel truth because it isn't addressed.

Koitsu, I can assure you that your speculations are not accurate.

Funchords, your comment about sending rates that will get you labeled as a spammer as not accurate either, they are simply limits.

I want to believe you bigchris , but the fact of the matter still stands: Comcast applied an outbound block on my modem for TCP port 25 due to "a report of spam", yet cannot actually provide me any evidence of it happening -- because all the evidence I have shows no such thing. My evidence shows there was no outbound SMTP spam sent from my connection on, or even around, September 2nd.

Why this matter concerns me so much:

Based on what you've told me earlier in this thread, what the Abuse individual stated isn't accurate -- what port you send mail through makes no difference regarding how Comcast handles spam reports.

This means that the *exact same situation could happen again*, which could in fact result in either 1) my inability to send mail from my Comcast service entirely (e.g. 25, 465, and 587 all get blocked), or 2) possibly termination of my service.

THAT is why I'm so concerned. I don't want it to happen again, and for that to happen, I need to know *details*, and work with someone, sharing evidence and being fair about it.

This *also* makes me question whether or not the Abuse person was telling me the truth when it came to his claim that the block was put in place "because of Comcast receiving a report of my IP sending spam".

It's to the point where I'd even be willing to sign an NDA (stopping further discussion on my part regarding this problem) just so I could get details on what happened. I realise this latter will probably make some forum folks say "Great dude, real great, just give in to the system and be a drone", but I'm trying to be reasonable, and I am worried for the above two reasons.

In no way shape or form am I complaining just for the sake of doing so -- I really am concerned/worried this situation will happen again.

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 09:16:44 EDT

bigchris : Koitsu, Funchords, I didn't want to let this sit and become gospel truth because it isn't addressed.

Koitsu, I can assure you that your speculations are not accurate.

Funchords, your comment about sending rates that will get you labeled as a spammer as not accurate either, they are simply limits.

Re: [Spam] Comcast reporting spam from my IP

Wed, 10 Sep 2008 00:24:33 EDT

funchords : A couple of years ago, someone decided that they could save Comcast money at the abuse desk and dreamed up this dominoes cum chutes and ladders method to replace some of the workload.

It's now part automaton, part scripted, part Sandvine (yes, that Sandvine), part server, part reputation score and the people that support it -- good people -- get a bit overwhelmed due to the strange set of rules that apply (a user is a spammer if he sends 11 mails in 10 minutes of 9 lines or more using 8 from addresses or 7 blank lines at the end).

Rather than admit mistake, an overwhelmed and powerless employee in certain anti-customer cultures do not respond by admitting surprise or enlightenment, they rather maintain their frustratingly defenseless position despite evidence, despite debate, despite conclusive judgments to the contrary. Powerless over the situation, there is no professional curiosity, nor co-ownership of the customer's problem. Criticism doesn't lead to change there, it leads to entrenchment.

The report, faked or forged? -- regardless. There are two active threads, one right next to each other. Comcast called both OP's "spammers." One guy sends 500 messages, perhaps UCE (perhaps double opt-in, we just don't know) but certainly not the spam problem common to the Internet. The other guy is you. Comcast cut you both off. If cutting the two of you off is fighting spam, then Comcast is bringing squirt guns to a forest fire.

And in both threads, helpful people (and sincerely so) trying to explain why what happened happened -- lost in the technical detail of what tripped what without regard to the view from just a few steps farther away: good customers are getting bad experiences. That's okay, it's just justifiable as "collateral damage" in a war to help ensure "a good experience for most of our users."

I, for one, am sick of it.

These aren't Freebie NetZero accounts. This isn't Hotmail (sorry). This is paid-for premium Internet service! Customers deserve better.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
More features, more fun, Join BroadbandReports.com, it's free...

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 23:15:09 EDT

koitsu :

said by funchords :

But, please, calling koitsu a spammer is not customer support and nobody should be trying to explain why he should just live with it. It's a sign that something is broken and needs to be fixed.

Thanks, your sentiments are greatly appreciated.

The part that frustrates me (and I apologise in advance if this sounds narcissistic): I'm the perfect candidate to work with Comcast to get this fixed. This is where having a good technical skill set comes into play.

I understand that by this point most of the support reps are probably attuned to "What is a trojan?? What do you mean my computer sent spam?? I just want my mail to work!" responses from customers. But I'm not one of those, and I did my best to make the Abuse guy aware of that fact (and he did acknowledge it). I was hoping it would establish a sense of trust.

It does appear that the reasoning behind why Comcast doesn't "work more with customers" on issues like this is because of either managerial red tape (paranoia), or legal aspects. I understand the "they don't provide details to minimise retaliation" aspect, and I can see the justification in that. But there needs to be some common ground established between the customer and the provider.

My reasons for being wary/untrustworthy at this point, I feel, are justified. I sincerely believe at this point, one of these is what's happening here. This is purely speculative, just for the record:

1) Outound mail (sent through Comcast's mail servers) are scanned on Comcast's systems using spam analysis software, and if the mail receives a high score, sets a "red flag" somewhere with Abuse/whomever to put an ACL on the account.

Along those same lines, maybe they use something like log analysis software and saw that within X number of minutes or seconds I sent X number of mails, and that caused a "red flag". This type of system is very common, and needs to be tuned appropriately to get accurate results; too sensitive and situations like this happen.

2) My use of smtp.comcast.net port 25, without SMTP AUTH, flagged me within Comcast as a "possible spammer". Of course I've been using this method for years, so I'm not sure what would have caused Comcast to get sensitive about it *now*.

3) An Abuse person at Comcast received either a falsified report of spam (e.g. modified Received: headers) and simply assumed what was shown to be true.

If this is how the process works, this is very, very bad. I want to believe the Abuse folks are able to go onto the Comcast SMTP servers and verify that the Comcast IP did in fact sent the mail, AND that the mail queue IDs match. How do I know they're doing that and not just blindly trusting what some Internet jhonka sends them? (This is why I said an experiment would be interesting.)

4) An Abuse person at Comcast received a legitimate spam complaint, but misread or typo'd the IP in the Received headers, causing them to go on a wild goose chase. "Oh look, this guy is using smtp.comcast.net port 25 with no authentication!", even though the report may not have been about me.

I can spend the rest of my life speculating, I'm sure. :-) It doesn't diminish the fact that this exact situation will happen to someone else. I'd love to work with Comcast to figure out what happened here, but their hands appear tied as I said before.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 23:08:55 EDT

madylarian :

said by K Patterson :

I don't understand, perhaps because I really don't know what listwashing is. Can you explain a little more?

thanks,

Listwashing means that the complaining addresses are removed from the spammer's list and the spammer just keeps on spamming because most people just delete rather than complain.

mady
--
Honi soit qui mal y pense

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 22:47:32 EDT

koitsu :

said by NormanS :

said by koitsu :

I'm still trying to wrap my brain around why SMTP AUTH is required for sending mail through their mail servers on port 587. Internet folks (non-Comcast customers) cannot connect to Comcast's outbound mail servers, and Comcast will always know who sent mail through their servers based on IP number, so I'm baffled at the purpose.

EDIT: Oops! :-) I completely misunderstood what you were saying here, Norman. I realise now you were talking about non-Comcast IPs being able to talk to smtp.comcast.net (presumably used for Comcast customers on laptop who roam, and don't want to have to change their mail client settings every time).

Everything you said is understood.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 22:45:11 EDT

koitsu :

said by K Patterson :

It would be interesting to have the viewpoint of an attorney re: the situation you cite. My suspicion is that Comcast's attorneys have told Comcast to not forward the complaint mail.

In any case what you are asking is a horrendous task on a system of Comcast's size.

Wrong -- it's in absolutely no way shape or form a "horrendous task".

Comcast human beings already have to handle spam complaints by hand. That means they get a full copy of the *entire mail*, including the body of the text. Someone has to read it -- I don't see it as a privacy invasion at all.

I'd like to ASSUME they look at the mail headers closely, and spend the time doing it right. Since they're already looking at the headers, is it really THAT HARD to put them in a ticket or as a note on your account? No. As someone who works in a NOC, I can assure you that degree of effort takes about 10 seconds.

Take my situation for example: **one single report of spam** resulted in them applying a network block. ONE. I know for a fact I didn't spam, and my own home network outbound ACLs ensure anyone using my network can only send mail through my FreeBSD box. So when I look at my FreeBSD box logs and see a series of mails dated when Comcast said the violation was performed, and none of them even remotely resemble spam, the only way you'll be able to debunk the issue is with Comcast's cooperation.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 22:37:53 EDT

koitsu :

said by KookyMan :

I think what I'm going to do is reroute smtp.comcast.net on my in-house DNS to point at my local linux system and see if it collects mail trying to go out... Does this sound like something that might work?

It's possible, but not via DNS. I can explain (if you have a UNIX box on your local network and a UNIX box somewhere elsewhere on th Internet) how to set up a transparent tunnel between the two, specifically for Internet-bound mail your local UNIX machine tries to send (via sendmail/postfix/exim/whatever), but this isn't the same as using DNS to magically point smtp.comcast.net to your local Linux box.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 22:09:41 EDT

K Patterson :

said by funchords :

said by madylarian :

I can think of a very good reason not to forward complaint emails. Retaliation.

There is that, but the main reason is to prevent listwashing.

I don't understand, perhaps because I really don't know what listwashing is. Can you explain a little more?

thanks,

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 20:07:30 EDT

funchords :

said by madylarian :

I can think of a very good reason not to forward complaint emails. Retaliation.

There is that, but the main reason is to prevent listwashing.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
More features, more fun, Join BroadbandReports.com, it's free...

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 20:05:29 EDT

funchords :

said by koitsu :

The logic here baffles my mind. funchords would have a field day with this.

Yeah, I'm reading.

Comcast needs to fish or cut bait. This is intolerable to people like us. The only reason it's tolerated at all is because most users these days think that email is something they get from a website.

I admire Comcast for being one of the last, great holdouts for blocking TCP 25 outbound. They made the right and best decision against enormous pressure. However, the implementation is screwed up somewhere and if they're unwilling to spend the money to fix it, then they should just wave the white flag and make the block across the board and then let select technically-informed users opt-out.

koitsu has been more then reasonable. He's not getting customer support, he's getting corporate arrogance. One complaint doesn't make him a spammer (didn't anyone SEE how few emails that he sent?). Nobody can be sure, and Comcast shouldn't rat out someone who sent in a complaint -- but Comcast, are you sure Koitsu emailed the message or was it remailed by the listserv? If so -- then this is between the listserv admin and the complainer, and you shouldn't get involved.

Anyway -- that's this incident. I keep reading incident after incident after incident of bungled or questionable mail administration around the control of outgoing spam. User errors or user neglect is probably responsible for half of these. But where is the discretion, that human factor, in handling the other half? That's the saddening, maddening pattern that frustrates me.

Spam is tough. There's no "field day" here -- I feel for both sides of this very tough issue. What I have no patience for is people treating others as less than deserving of respect and dignity. Call me old-fashioned, but if more people cared for one another, it would be a brighter world.

If Comcast is going to stand by their decision to block outbound 25 as a reactive measure, then technically capable Comcast users ought to continue to applaud that. I know that I never wanted my Internet access to have a PlaySkool interface. Let AOL have those "See Spot run!" customers. But, please, calling koitsu a spammer is not customer support and nobody should be trying to explain why he should just live with it. It's a sign that something is broken and needs to be fixed.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
More features, more fun, Join BroadbandReports.com, it's free...

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 18:42:40 EDT

NormanS :

said by odog :

senderbase also gives a "score" about how much spam has been received from the particular IP. It more importantly will list if he is one of the large blacklists for whatever reason.

What does his IP address have to do with anything?!?!? He is sending through 'smtp.comcast.net'. The only thing which a gateway mail server should concern itself with is the IP address of 'smtp.comcast.net'. The Comcast user's IP address is not a part of the equation.

Look; just because I am running an MTA, doesn't meant my ISP IP address is connecting to gateway mail servers when I send out email. Neither his Comcast connection, nor my AT&T connection are a part of the equation! When we send through our respective ISP SMTP message submission servers, our IP addresses should be treated no different than any other users IP address while going through those servers.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 18:14:49 EDT

odog :

said by NormanS :

said by odog :

Check your IP here

www.senderbase.org

To what end? He is sending from his IP address only to the Comcast SMTP message submission server. Comcast is only going to be concerned with whether he is an authenticated Comcast user, and acting within the limitations of the Comcast Terms of Use. Message submission servers shouldn't care about that Senderbase data.

senderbase also gives a "score" about how much spam has been received from the particular IP. It more importantly will list if he is one of the large blacklists for whatever reason.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 17:57:49 EDT

K Patterson : I hadn't thought of that, good point!

My guess is that Comcast managerial types want nothing to do with any possibility that someone else's email is anywhere on one of their ahrd drives. Just too much exposure in our presently litigious society.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 17:43:52 EDT

madylarian :

I can think of a very good reason not to forward complaint emails. Retaliation.

mady
--
Honi soit qui mal y pense

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 17:16:41 EDT

NormanS :

said by K Patterson :

I've not seen a case where malware used the ISP's server. That's why port 25 blocks work.

I have. Several spam items from 'nlpi0nn.prodigy.net', where some spammer has hijacked an 'at&t Yahoo! HSI' user's account information. Ironically, using Comcast user's compromised computers in a 'bot herd to send through 'smtpauth.sbcglobal.net' (or one of the other aliases), and using the stolen AT&T account credentials to authenticate to the server. Reported through Spamcop.net; the reports actually went to Comcast abuse, but the AT&T servers will, eventually, be blocked.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 17:11:17 EDT

NormanS :

said by odog :

Check your IP here

www.senderbase.org

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 16:58:58 EDT

NormanS :

Actually, we can connect to 'smtp.comcast.net'. And, if we have Comcast account login information, we can even use those servers ("we" being people with non-Comcast IP addresses).

AFAIK, Comcast ACL determines whether authentication will be required on a port 25 connection, or not. However, authentication on a port 587 connection is an option, per RFC 2476, and designed to allow off-network access to the server.

P.S. Here are the headers of a test message I sent using 'smtp.comcast.net:25' from my 'at&t Yahoo! HSI' connection. I had my sister enter her Comcast UserID+Password into MS Outlook Express 6 for this test (I removed it, as well, all under her observation and supervision):

X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA=X-Message-Status: n:0X-SID-PRA: Nobody Special <%User_ID%@aosake.net>X-Message-Info: R00BdL5giqo1XTLaUChNahr175TMsC/S6KjB9zol3BfaZjQnKq4vtqAE8fBRtHbzFTAz1iLNjpcbUMUgyWDIO+3D5UnquTTyReceived: from QMTA09.emeryville.ca.mail.comcast.net ([76.96.30.96])         by bay0-mc6-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);         Tue, 9 Sep 2008 13:28:33 -0700Received: from OMTA13.emeryville.ca.mail.comcast.net ([76.96.30.52])        by QMTA09.emeryville.ca.mail.comcast.net with comcast        id Cb9C1a00717UAYkA9kUZhG; Tue, 09 Sep 2008 20:28:33 +0000Received: from KOZUE ([69.110.229.74])        by OMTA13.emeryville.ca.mail.comcast.net with comcast        id CkUQ1a00G1cxMfH8ZkUSfP; Tue, 09 Sep 2008 20:28:31 +0000X-Authority-Analysis: v=1.0 c=1 a=rwb31lBxJdAA:10 a=o3u4MYfcgxoLfIYezdIA:9 a=fKLyDDUhjBpPOlrBXQ4dt01VxLUA:4 a=LY0hPdMaydYA:10 a=gRn_d5DV6HbZut_hC3EA:9 a=Z7eiLN8CKFuq9b8dRLEA:7 a=FT8Wqm9bYy5vJwRVAAiudS4QW68A:4 a=AfD3MYMu9mQA:10Message-ID: <F66CDFE82D3B432C9DD161F97F9C3AB1@KOZUE>Reply-To: "%User_ID% Special" <%User_ID%@pacbell.net>From: "Nobody Special" <%User_ID%@aosake.net>To: <%User_ID%@msn.com>Subject: [TEST] Just checkingDate: Tue, 9 Sep 2008 13:28:16 -0700MIME-Version: 1.0Content-Type: multipart/alternative;        boundary="----=_NextPart_000_0004_01C9127F.EAEF07D0"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2900.5512X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579Return-Path: %User_ID%@aosake.netX-OriginalArrivalTime: 09 Sep 2008 20:28:33.0614 (UTC) FILETIME=[A14C9EE0:01C912BA]

Apologies for duplicate information. I was waiting on my sister to finish up doing girl stuff in preparation for an outing, so I didn't get the authorization for testing, or read on, until later in the cycle.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 12:03:45 EDT

K Patterson : It would be interesting to have the viewpoint of an attorney re: the situation you cite. My suspicion is that Comcast's attorneys have told Comcast to not forward the complaint mail.

In any case what you are asking is a horrendous task on a system of Comcast's size.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 11:38:26 EDT

KookyMan : Intercepting, no. However if an email was forwarded to Comcast and reported as spam (I don't think anyone sane would accept an email that simply reads: "I got spam for x.x.x.x, fix it".) They have already been provided a copy of the message. That would not require them to track any outbound mail.

I would like to see them provide me with the forwarded mail, after all it is being alleged that the message did come from me, and I've already been told effectively that I'm guilty, why can I not see the evidence?

I did ask the important question, as I do send mail from multiple accounts through Comcast (because I have to obviously), was the flag a result of an automated system or was it an actual report, and was told it was a report.

Is this really such a big deal to request? I feel like I've been accused and there's nothing I can do. "You did it, your in trouble, we don't have to give you anything.. Guilty!"
--
I miss my dial-up modem... It was an error correcting modem... I seem to have so many typo's lately.....

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 11:02:57 EDT

K Patterson :

said by KookyMan :

:

I think what I'm going to do is reroute smtp.comcast.net on my in-house DNS to point at my local linux system and see if it collects mail trying to go out... Does this sound like something that might work?

I doubt it. If you have malware, it is acting as its own mailserver, using poprt 25 to send mail to other servers. I've not seen a case where malware used the ISP's server. That's why port 25 blocks work.

With respect to providing you with information, do you really want Comcast intercepting your email? Almost certainly a criminal act for them to do so.

Re: [Spam] Comcast reporting spam from my IP

Tue, 09 Sep 2008 10:40:51 EDT

KookyMan : I think its unnerving that they are unwilling to provide information.

For first time offenders, it is not a substantial amount of data to keep the "reported" email if you have been alleged as sending spam. Text is very compressible.

Sure if you have someone who is a repeat offender, ditch the evidence, or if you get say 999 messages that are classed as spam, fine. But if it's one or two, there is no reason you can't save it. Or at least the headers. Or the body. Right now I'd be happy for either. Why? Simple:

Right now I have a lot of work ahead of me to go through all my systems to determine if a breech has occurred, which may not be true. This is like looking for a needle in a haystack (4 in my case) and there might not even be a needle to find! Why would headers help me? Because I could see definitively that the email originated from my IP. I could see the "From" line to determine if it was one of my accounts (and ergo may Not be real spam but a misunderstanding) or if its from a invalid ID. If I could see the body, I could again determine if it was one of my emails that was misunderstood or if it was something I've never seen before.

I think what I'm going to do is reroute smtp.comcast.net on my in-house DNS to point at my local linux system and see if it collects mail trying to go out... Does this sound like something that might work?
--
I miss my dial-up modem... It was an error correcting modem... I seem to have so many typo's lately.....

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 13:19:03 EDT

odog : Check your IP here

www.senderbase.org

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 12:53:29 EDT

bigchris : I'm not going to comment on what we would or wouldn't do, but I guess I'd question why you'd want to bother with it. You now have a working solution so why mess with it.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 12:36:24 EDT

koitsu :

said by bigchris :

Comcast will not provide you the logs or evidence of why you were blocked. Having worked at hotmail you can understand why, it's not only an issue of storing private information but also a question of subscriber base size. It would simply be impossible to provide that evidence for the size of user-base.

Comcast treat spam over any port with equal distaste, despite what the abuse rep said. However, with port 25 being open with no AUTH requirement it's significantly easier for a spammer to utilize that port rather than 587 or 465. The reason is obvious and it's that they need to know a valid username and password which requires a lot more work on their end.

Finally, you are probably right in the cause of the block. i.e. you were reported as sending spam.

Just move to 587 with AUTH (or 465 AUTH and SSL if you can).

*nod* Thanks for the clarification. I've migrated to prt 587 (postfix + Cyrus SASL for SMTP AUTH). Port 465 is a pain due to extra reliance on stunnel, since postfix doesn't natively support port 465 any longer.

An interesting experiment -- and I am not condoning or advocating this in any way, as it's shady -- would be to send Comcast some mails with forged Received: headers to see if they rely solely on the report, or if they do go back through SMTP server logs to correlate the claims.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 12:31:17 EDT

koitsu :

said by goahead :

said by koitsu :

said by goahead :

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.

Thanks for the constructive criticism; I'll take it into mind.

:) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge.

I didn't take it as an insult, and didn't intend my reply to be of a snarky nature either. (I really was serious when I said thanks for the constructive criticism!) :-)

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 11:46:18 EDT

goahead :

said by koitsu :

said by goahead :

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.

Thanks for the constructive criticism; I'll take it into mind.

:) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 11:40:48 EDT

bigchris : Comcast will not provide you the logs or evidence of why you were blocked. Having worked at hotmail you can understand why, it's not only an issue of storing private information but also a question of subscriber base size. It would simply be impossible to provide that evidence for the size of user-base.

Comcast treat spam over any port with equal distaste, despite what the abuse rep said. However, with port 25 being open with no AUTH requirement it's significantly easier for a spammer to utilize that port rather than 587 or 465. The reason is obvious and it's that they need to know a valid username and password which requires a lot more work on their end.

Finally, you are probably right in the cause of the block. i.e. you were reported as sending spam.

Just move to 587 with AUTH (or 465 AUTH and SSL if you can).

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 11:28:44 EDT

koitsu :

said by goahead :

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.

Thanks for the constructive criticism; I'll take it into mind.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 11:24:58 EDT

goahead : While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:56:42 EDT

koitsu : Okay, so I just got off the phone with their Abuse folks (about a 30 minute conversation). They were slightly helpful, and very rigid to talk to (no surprise there, I've worked at many ISPs in my life and Abuse requires very stern, borderline cold personalities).

First thing first: Comcast will not provide me any logs or extensive technical details regarding what actually triggered the event. They specifically reserve the right to *not* hand that information over to you. I worked at Hotmail, so I know this rule quite well.

Second: the Abuse rep. told me the exact same thing Tier 1 and Cabal did -- there's a series of things that can trigger the block. Compromised machines on the network sending malicious packets with a destination port of 25, reports of malicious activity or spamming/malware distribution, or massive amounts of mail being sent within a 24 hour period.

Third: the rep was kind enough to disclose two pieces of information: 1) the incident occurred on September 2nd, and 2) the "modem level block" was put in place as a result of an Internet or Comcast user reporting that my IP was sending spam.

The first thing I did was check my modem logs to see if there was anything suspicious there. I found the following:

I believe this is the timestamp of when Comcast put the modem level block for port 25 in place.

Next, I went through my SMTP logs for the 2nd, and all of my outbound mail through smtp.comcast.net:25 was to FreeBSD developer mailing lists -- there was nothing odd or unsolicited.

I discussed this fact with the rep., who then tried to divert focus. "The block can also happen if you send out mails to more than 1000 recipients in the course of 24 hours. You said you sent 11 mails, but how many recipients?" Grepping logs showed that of those 11 mails I sent, they were sent to a total of 11 unique addresses. Remember, these are mail server logs; if I was to send a single mail with 500 people in the CC list, the mail server log would show all of those 500 unique addresses.

Next, the rep. and I went round and round for a bit about this whole thing. Eventually he settled on trying to convince me that I should change my postfix configuration over to use port 587. This completely confused me, and here's why:

I was told not more than 10 minutes prior that the reason the block was put in place was because of someone reporting to Comcast that I sent spam. So I asked him, "Does the port number I use for my outbound mail on smtp.comcast.net influence how you handle reports of spam? Because to me, spam is spam, regardless of what SMTP port it was sent through".

Shockingly, I was told point blank: yes, Comcast does in fact care what port number you use for your outbound mail, and they also care if you already have a block put up on port 25 (implying that by having that block in place, Comcast is more lax with you -- really!). Without getting into the semantics, the rep more or less disclosed that Comcast is significantly less anal about what is considered spam if the customer is using port 587. He also added "You seem awfully familiar with the SMTP protocol", which is when I explained I'm a UNIX administrator of 15+ years, so it's part of my job to be familiar.

The logic here baffles my mind. funchords would have a field day with this.

That said, I reluctantly agreed to get my postfix configuration working with port 587 (which means I *am* going to have to install Cyrus SASL. Grrrrrr...). Upon mentioning that, the rep. told me "Oh, by the way, we also have port 465 open, which is SMTP over SSL".

I also told him to keep the port 25 block in place, as there really isn't any point in removing the block, since it sounds like Comcast "tags" you as a higher risk person (somehow) if you're using that port vs. 587.

Port 465 may be what I go with, but ultimately depends on whether or not it requires SMTP AUTH. If so, then 465 or 587 -- doesn't matter. If not, awesome, problem solved! EDIT: Port 465 (which with postfix requires stunnel) also requires SMTP AUTH. Bummer.

So back to the logs I went, trying to figure out what happened...

Lo and behold, I found the very last Email I sent that evening (dated September 2nd, 21:23:49 PDT), which I personally sent to an individual who was more or less anti-Comcast trolling (referring to Comcast users as "Joe Six-packs") on the ISOTF Outages mailing list, somehow thinking Cox filtering ICMP packets had something to do with Comcast. The mail I sent pointed out the mistakes in his bizarre argument.

I speculate what actually happened is said individual forwarded my mail to Comcast Abuse as a form of retaliation, which Abuse handled identically to a spam complaint. It's the only thing I sent that even remotely could get Comcast Abuse involved. Purely speculative, but it's all I have to go on at this point.

EDIT: I just received a mail from said ISOTF mailing list individual; he was incredibly apologetic for his initial mail to me and odd/awkward claims.

I'm completely out of ideas. Comcast's reluctance to work with me to track down their claim is disheartening. :-( Regardless, I've got postfix up and working using Cyrus SASL + SMTP AUTH against smtp.comcast.net:587. Here's to hoping they don't block that...

--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:50:36 EDT

bigchris :

said by koitsu :

Ah ha! That explains it! Thanks for cluing me in here. I was under the impression Comcast only permits Comcast IPs to connect to smtp.comcast.net (regardless of port #). That is obviously not the case. The below telnets were done from our co-located servers:

What I'm saying: if Comcast provided customer-only (e.g. you must be on the Comcast IP network to use these) SMTP servers, they wouldn't need SMTP AUTH for said clients.

Edit: Since your are familiar with the SMTP protocol, you must also know that the RFCs state 587 requires authentication whereas 25 doesn't, but it supposed to be used only between MTAs whereas 587 is a client submission port.

Bzzt. Read the RFC yourself, Sections 6.1 through 6.4 -- specifically, the use of the word MAY. Meaning: requiring authentication on port 587 is *optional*. It's entirely up to the mail server administrator. By default most mail servers (postfix, exim, sendmail) require SMTP AUTH, but you simply change the said flag to "no" and voila, it acts just like port 25.

And if you look at the ISPs you are going to find nearly all of them require AUTH on 587. The RFC was written to provide the option since it's intended to move mail clients away from using port 25, but, most implementations are using it also as a way to authenticate.

As to your other point of Comcast IP only SMTP servers, that doesn't help with bot'd computers, hence the requirement to authenticate which takes out large numbers of abusive connections i.e. spam.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:22:38 EDT

koitsu :

said by bigchris :

Ah ha! That explains it! Thanks for cluing me in here. I was under the impression Comcast only permits Comcast IPs to connect to smtp.comcast.net (regardless of port #). That is obviously not the case. The below telnets were done from our co-located servers:

What I'm saying: if Comcast provided customer-only (e.g. you must be on the Comcast IP network to use these) SMTP servers, they wouldn't need SMTP AUTH for said clients.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:14:08 EDT

koitsu :

said by just4info :

If you have other PCs running on your network, you may want to check if there is anything running on those that may send bulk emails directly without going through your freebsd box.

A friend of mine received the same email and found out he had some unwanted program hijacked one of his PCs to send mails.

I'm not suggesting your PC is having virus. But I guess that is what comcast support would ask you to check anyway.

Such isn't the case. I have outbound ACLs applied on my gateway (router), which do not permit any outbound packets to TCP ports 25, 110, 465, 587, and 993. The ACL allows a *single IP address* on my LAN -- the above FreeBSD box running postfix -- to send outbound packets to any of those ports.

Meaning: let's say I have a wireless network and someone somehow compromises it, gaining access to my local network, and that person uses a computer that sends out spam or has viruses of some kind. There's absolutely no way this would work due to the ACL. If they configured their mail client to use my local FreeBSD box as their SMTP server, that would work -- however, I'd have evidence of it in my SMTP logs, which I do not.

To my knowledge, there are no viruses or malware applications that can affect FreeBSD, and the machine is definitely not compromised (I rebuilt world/kernel literally last night).

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:08:10 EDT

just4info : If you have other PCs running on your network, you may want to check if there is anything running on those that may send bulk emails directly without going through your freebsd box.

A friend of mine received the same email and found out he had some unwanted program hijacked one of his PCs to send mails.

I'm not suggesting your PC is having virus. But I guess that is what comcast support would ask you to check anyway.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 10:05:16 EDT

bigchris :

It's really simple. You need to authenticate to send and to do that you need a valid comcast.net ID and you need to know the password. Plus it'll work on and off the comcast network so for those people that travel with laptops it's a win win.

Edit: Since your are familiar with the SMTP protocol, you must also know that the RFCs state 587 requires authentication whereas 25 doesn't, but it supposed to be used only between MTAs whereas 587 is a client submission port.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 09:41:24 EDT

koitsu :

said by Cabal :

They use the same notice for both spam and when they detect a large number of messages sent during a given period of time. It was probably the latter. You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where.

Do you feel this constitutes as a "large number of messages"? Note that the numbers are within a 24 hour period.

(06:36:00 jdc@icarus) /var/log $ for i in maillog*; do ls -l $i; echo -n "Mail sent in above log: " ; bzgrep -c 'relay=smtp.comcast.net.*mail accepted for delivery' $i; done-rw-r-----    1 root      wheel     76376  3 Sep 06:28 maillogMail sent in above log: 3-rw-r-----    1 root      wheel     16064  3 Sep 00:00 maillog.0.bz2Mail sent in above log: 11-rw-r-----    1 root      wheel     16649  2 Sep 00:00 maillog.1.bz2Mail sent in above log: 31-rw-r-----    1 root      wheel     11853  1 Sep 00:00 maillog.2.bz2Mail sent in above log: 5-rw-r-----    1 root      wheel     11102 31 Aug 00:00 maillog.3.bz2Mail sent in above log: 13-rw-r-----    1 root      wheel     13623 30 Aug 00:00 maillog.4.bz2Mail sent in above log: 12-rw-r-----    1 root      wheel     14918 29 Aug 00:00 maillog.5.bz2Mail sent in above log: 4-rw-r-----    1 root      wheel     18511 28 Aug 00:00 maillog.6.bz2Mail sent in above log: 14-rw-r-----    1 root      wheel     16669 27 Aug 00:00 maillog.7.bz2Mail sent in above log: 25

I'm on hold now with their Abuse department to see if someone knows. The general Tier 1 support folk told me it happens for the reasons you described here, but were unable to tell me what circumstances triggered said issue.

After that, they tried to "sell me" on using SMTP AUTH and port 587, to which I asked "Was my use of port 25 the reason for the block?" "No, it definitely wasn't, let me get you over to Abuse so they can get logs for you".

I'm still trying to wrap my brain around why SMTP AUTH is required for sending mail through their mail servers on port 587. Internet folks (non-Comcast customers) cannot connect to Comcast's outbound mail servers, and Comcast will always know who sent mail through their servers based on IP number, so I'm baffled at the purpose.

If anything, I'm willing to bet it's a miserable attempt to curb spam (running under the assumption that spambots and malware which send spam do not understand how to use SMTP AUTH, and don't have username/password credentials). It's the sign of an ISP who doesn't quite understand the problem...

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 09:26:56 EDT

koitsu :

said by rugby :

I had the same thing happen to me with my Asterisk PBX and sending out voicemails. Comcast tagged those emails as spam and they just stopped going out one day. The bad part was that I wasn't checking my comcast.net email account so I never knew it was blocking them for a few days when people started emailing me asking why I wasn't returning their messages.

Interesting. I don't use VoIP or any form of local PBX, so in my case, that rules that option out.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 09:19:31 EDT

rugby : I had the same thing happen to me with my Asterisk PBX and sending out voicemails. Comcast tagged those emails as spam and they just stopped going out one day. The bad part was that I wasn't checking my comcast.net email account so I never knew it was blocking them for a few days when people started emailing me asking why I wasn't returning their messages.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 08:50:15 EDT

koitsu :

said by CleanGene :

said by Cabal :

You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where.

Quite. My understanding (and someone will surely correct me if I'm wrong) is that the initial block can be lifted without much hassle. However, if abuse is detected again and the block is re-enabled, it will be permanent, and no amount of pleading will remove it.

Which means I'm not going to ask that the block be removed until Comcast provide me some evidence of said "spamming" or "mass mailing" (which isn't happening either -- I keep a very close eye on my SMTP logs). I want a Message ID, queue ID, Subject line, timestamp of the mail, or SOMETHING I can key off of.

Basically, Comcast needs to show me evidence of said problem before I'll believe there is one. Based upon their own web page with the "alternateport" option, it appears to me this is a very common problem.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 08:26:41 EDT

CleanGene :

said by Cabal :

You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 07:37:14 EDT

Cabal : They use the same notice for both spam and when they detect a large number of messages sent during a given period of time. It was probably the latter. You can call up and have the block removed, but you probably want to restructure how much mail you're sending and where.
--
Interested in open source engine management for your Subaru?

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 07:24:19 EDT

K Patterson : You won't get a copy because Comcast doesn't have one. Think about the consequences for Comcast if they captured anybody's email for any purpose.

Re: [Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 05:57:42 EDT

koitsu : Yup, Comcast's mail servers require SMTP AUTH on port 587:

--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

[Spam] Comcast reporting spam from my IP

Wed, 03 Sep 2008 05:53:43 EDT

koitsu : Comcast picked the wrong person to send the below notification to. I'm a UNIX administrator who is quite familiar with SMTP.

Dear Comcast Subscriber:    ACTION REQUIRED: Comcast has determined that your computer(s) have been   used to send unsolicited email ("spam"), which is generally an   indicator of a virus. For your own protection and that of other Comcast   customers, we have taken steps to prevent further transmission of spam   from your computer(s).    Comcast.Net WebMail Users   If you use a web browser to access your email, this change will not   affect your service. However, it is important that you take steps to   remove the virus and secure your computer(s). This can be done by using   the FREE McAfee Antivirus and Firewall software available from Comcast   on the [2]Comcast Security Channel or by using other popular antivirus   solutions that are widely available.    Third-Party Mail Client Users (Outlook, Outlook Express, etc.)   If you use Outlook Express, the steps we have taken to protect the   Comcast network will not allow you to send email until you apply a   simple one click fix available at   [3]http://www.comcastsupport.com/alternateport. While this will restore   your ability to send mail it is still important to remove any possible   viruses from your computer.  This can be done by using the McAfee   Antivirus and Firewall software (offered to Comcast.net subscribers at   no additional charge) available from Comcast on the [4]Comcast Security   Channel or by using other popular antivirus solutions that are widely   available.    Note: this one click fix currently only works with Internet Explorer.   If you use a different browser, please click [5]here for steps to   manually change your port.    If you are using a third-party client other than Outlook Express   (Outlook, Eudora, Thunderbird, etc.), please click [6]here for   instructions.    Comcast is focused on providing a secure internet experience for all of   our customers. Please visit the [7]Comcast Security Channel regularly   to stay up to date with the latest security threats, products, and   services    If you have additional questions please visit   ([8]www.comcast.net/help).    Thank you for choosing Comcast!   Sincerely,   Comcast Customer Security Assurance    Border Bottom    © 2008 Comcast | [9]Privacy Statement References    1. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18   2. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18   3. http://www.comcastsupport.com/alternateport   4. http://www.comcast.net/Security/SecSuiteSSO/?cid=NET_33_18   5. http://www.comcastsupport.com/tb25   6. http://www.comcastsupport.com/tb25   7. http://security.comcast.net/?cid=NET_33_4   8. http://www.comcastsupport.com/tb25/helpsite.asp   9. http://www.comcast.net/privacy/

This mail tells me absolutely *jack squat* regarding technical details of what supposedly happened. Can I receive a copy of the supposed spam I sent? Nope. And the comcastsupport.com links above are timing out (looks like a webserver issue of some kind; HTTP request is accepted, but the GET request sits there indefinitely. Probably wedged/broken IIS boxes (I see .asp in the URLs!))

The only machine that sends mail -- through Comcast (smtp.comcast.net TCP port 25) -- is my FreeBSD box running postfix. It does not listen on a TCP port, is NAT'd, and there is no public/WAN port forward to it. My postfix transport mapping:

I cannot/will not use SMTP AUTH when connecting to a mail server, because postfix (as a client) cannot support SMTP AUTH without Cyrus SASL -- software I do not want anywhere near any machine I administrate.

Comcast has indeed applied an ACL blocking my ability to reach smtp.comcast.net on TCP port 25. The below telnet comes from my FreeBSD box at home (e.g. from Comcast's viewpoint they'd see the request come from my WAN IP):

TCP port 587 works fine:

I'm likely going to try switching the postfix transport mapping over to use port 587, but I'm not sure if this will work -- if my memory serves me correctly, Comcast requires SMTP AUTH on 587.

And I still want a copy of the supposed spam that came from my IP.

--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.