dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
19
share rss forum feed


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

2 edits
reply to koitsu

Re: [Spam] Comcast reporting spam from my IP

Okay, so I just got off the phone with their Abuse folks (about a 30 minute conversation). They were slightly helpful, and very rigid to talk to (no surprise there, I've worked at many ISPs in my life and Abuse requires very stern, borderline cold personalities).

First thing first: Comcast will not provide me any logs or extensive technical details regarding what actually triggered the event. They specifically reserve the right to *not* hand that information over to you. I worked at Hotmail, so I know this rule quite well.

Second: the Abuse rep. told me the exact same thing Tier 1 and Cabal See Profile did -- there's a series of things that can trigger the block. Compromised machines on the network sending malicious packets with a destination port of 25, reports of malicious activity or spamming/malware distribution, or massive amounts of mail being sent within a 24 hour period.

Third: the rep was kind enough to disclose two pieces of information: 1) the incident occurred on September 2nd, and 2) the "modem level block" was put in place as a result of an Internet or Comcast user reporting that my IP was sending spam.

The first thing I did was check my modem logs to see if there was anything suspicious there. I found the following:

2008-09-02 23:54:166-NoticeM573.0Modem Is Shutting Down and Rebooting...
2008-09-02 23:54:163-CriticalÔ7954.20Resetting the cable modem due to docsDevResetNow
 

I believe this is the timestamp of when Comcast put the modem level block for port 25 in place.

Next, I went through my SMTP logs for the 2nd, and all of my outbound mail through smtp.comcast.net:25 was to FreeBSD developer mailing lists -- there was nothing odd or unsolicited.

I discussed this fact with the rep., who then tried to divert focus. "The block can also happen if you send out mails to more than 1000 recipients in the course of 24 hours. You said you sent 11 mails, but how many recipients?" Grepping logs showed that of those 11 mails I sent, they were sent to a total of 11 unique addresses. Remember, these are mail server logs; if I was to send a single mail with 500 people in the CC list, the mail server log would show all of those 500 unique addresses.

Next, the rep. and I went round and round for a bit about this whole thing. Eventually he settled on trying to convince me that I should change my postfix configuration over to use port 587. This completely confused me, and here's why:

I was told not more than 10 minutes prior that the reason the block was put in place was because of someone reporting to Comcast that I sent spam. So I asked him, "Does the port number I use for my outbound mail on smtp.comcast.net influence how you handle reports of spam? Because to me, spam is spam, regardless of what SMTP port it was sent through".

Shockingly, I was told point blank: yes, Comcast does in fact care what port number you use for your outbound mail, and they also care if you already have a block put up on port 25 (implying that by having that block in place, Comcast is more lax with you -- really!). Without getting into the semantics, the rep more or less disclosed that Comcast is significantly less anal about what is considered spam if the customer is using port 587. He also added "You seem awfully familiar with the SMTP protocol", which is when I explained I'm a UNIX administrator of 15+ years, so it's part of my job to be familiar.

The logic here baffles my mind. funchords See Profile would have a field day with this.

That said, I reluctantly agreed to get my postfix configuration working with port 587 (which means I *am* going to have to install Cyrus SASL. Grrrrrr...). Upon mentioning that, the rep. told me "Oh, by the way, we also have port 465 open, which is SMTP over SSL".

I also told him to keep the port 25 block in place, as there really isn't any point in removing the block, since it sounds like Comcast "tags" you as a higher risk person (somehow) if you're using that port vs. 587.

Port 465 may be what I go with, but ultimately depends on whether or not it requires SMTP AUTH. If so, then 465 or 587 -- doesn't matter. If not, awesome, problem solved! EDIT: Port 465 (which with postfix requires stunnel) also requires SMTP AUTH. Bummer.

So back to the logs I went, trying to figure out what happened...

Lo and behold, I found the very last Email I sent that evening (dated September 2nd, 21:23:49 PDT), which I personally sent to an individual who was more or less anti-Comcast trolling (referring to Comcast users as "Joe Six-packs") on the ISOTF Outages mailing list, somehow thinking Cox filtering ICMP packets had something to do with Comcast. The mail I sent pointed out the mistakes in his bizarre argument.

I speculate what actually happened is said individual forwarded my mail to Comcast Abuse as a form of retaliation, which Abuse handled identically to a spam complaint. It's the only thing I sent that even remotely could get Comcast Abuse involved. Purely speculative, but it's all I have to go on at this point.

EDIT: I just received a mail from said ISOTF mailing list individual; he was incredibly apologetic for his initial mail to me and odd/awkward claims.

I'm completely out of ideas. Comcast's reluctance to work with me to track down their claim is disheartening. :-( Regardless, I've got postfix up and working using Cyrus SASL + SMTP AUTH against smtp.comcast.net:587. Here's to hoping they don't block that...

--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

goahead

join:2008-09-03
While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by goahead:

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.
Thanks for the constructive criticism; I'll take it into mind.


bigchris
Do Not Shoot The Messenger
Premium,MVM
join:2002-04-29
Leesburg, VA
reply to koitsu
Comcast will not provide you the logs or evidence of why you were blocked. Having worked at hotmail you can understand why, it's not only an issue of storing private information but also a question of subscriber base size. It would simply be impossible to provide that evidence for the size of user-base.

Comcast treat spam over any port with equal distaste, despite what the abuse rep said. However, with port 25 being open with no AUTH requirement it's significantly easier for a spammer to utilize that port rather than 587 or 465. The reason is obvious and it's that they need to know a valid username and password which requires a lot more work on their end.

Finally, you are probably right in the cause of the block. i.e. you were reported as sending spam.

Just move to 587 with AUTH (or 465 AUTH and SSL if you can).

goahead

join:2008-09-03
reply to koitsu
said by koitsu:

said by goahead:

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.
Thanks for the constructive criticism; I'll take it into mind.
:) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge.


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by goahead:

said by koitsu:

said by goahead:

While I agree its silly what they did, the first two sentences in yor post are terribly self-centered.
Thanks for the constructive criticism; I'll take it into mind.
:) I didn't mean it in an insulting way either, just pointing it out in case you get attacked for your knowledge.
I didn't take it as an insult, and didn't intend my reply to be of a snarky nature either. (I really was serious when I said thanks for the constructive criticism!)


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
reply to bigchris
said by bigchris:

Comcast will not provide you the logs or evidence of why you were blocked. Having worked at hotmail you can understand why, it's not only an issue of storing private information but also a question of subscriber base size. It would simply be impossible to provide that evidence for the size of user-base.

Comcast treat spam over any port with equal distaste, despite what the abuse rep said. However, with port 25 being open with no AUTH requirement it's significantly easier for a spammer to utilize that port rather than 587 or 465. The reason is obvious and it's that they need to know a valid username and password which requires a lot more work on their end.

Finally, you are probably right in the cause of the block. i.e. you were reported as sending spam.

Just move to 587 with AUTH (or 465 AUTH and SSL if you can).
*nod* Thanks for the clarification. I've migrated to prt 587 (postfix + Cyrus SASL for SMTP AUTH). Port 465 is a pain due to extra reliance on stunnel, since postfix doesn't natively support port 465 any longer.

An interesting experiment -- and I am not condoning or advocating this in any way, as it's shady -- would be to send Comcast some mails with forged Received: headers to see if they rely solely on the report, or if they do go back through SMTP server logs to correlate the claims.


bigchris
Do Not Shoot The Messenger
Premium,MVM
join:2002-04-29
Leesburg, VA
I'm not going to comment on what we would or wouldn't do, but I guess I'd question why you'd want to bother with it. You now have a working solution so why mess with it.


odog
Cable Centric Vendor Biased
Premium,VIP
join:2001-08-05
Atlanta, GA
kudos:16
reply to koitsu
Check your IP here

www.senderbase.org


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by odog:

Check your IP here

www.senderbase.org
To what end? He is sending from his IP address only to the Comcast SMTP message submission server. Comcast is only going to be concerned with whether he is an authenticated Comcast user, and acting within the limitations of the Comcast Terms of Use. Message submission servers shouldn't care about that Senderbase data.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


odog
Cable Centric Vendor Biased
Premium,VIP
join:2001-08-05
Atlanta, GA
kudos:16
Reviews:
·Comcast
said by NormanS:

said by odog:

Check your IP here

www.senderbase.org
To what end? He is sending from his IP address only to the Comcast SMTP message submission server. Comcast is only going to be concerned with whether he is an authenticated Comcast user, and acting within the limitations of the Comcast Terms of Use. Message submission servers shouldn't care about that Senderbase data.
senderbase also gives a "score" about how much spam has been received from the particular IP. It more importantly will list if he is one of the large blacklists for whatever reason.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 recommendation

said by odog:

senderbase also gives a "score" about how much spam has been received from the particular IP. It more importantly will list if he is one of the large blacklists for whatever reason.
What does his IP address have to do with anything?!?!? He is sending through 'smtp.comcast.net'. The only thing which a gateway mail server should concern itself with is the IP address of 'smtp.comcast.net'. The Comcast user's IP address is not a part of the equation.

Look; just because I am running an MTA, doesn't meant my ISP IP address is connecting to gateway mail servers when I send out email. Neither his Comcast connection, nor my AT&T connection are a part of the equation! When we send through our respective ISP SMTP message submission servers, our IP addresses should be treated no different than any other users IP address while going through those servers.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

2 edits

1 recommendation

reply to koitsu
said by koitsu:

The logic here baffles my mind. funchords See Profile would have a field day with this.
Yeah, I'm reading.

Comcast needs to fish or cut bait. This is intolerable to people like us. The only reason it's tolerated at all is because most users these days think that email is something they get from a website.

I admire Comcast for being one of the last, great holdouts for blocking TCP 25 outbound. They made the right and best decision against enormous pressure. However, the implementation is screwed up somewhere and if they're unwilling to spend the money to fix it, then they should just wave the white flag and make the block across the board and then let select technically-informed users opt-out.

koitsu See Profile has been more then reasonable. He's not getting customer support, he's getting corporate arrogance. One complaint doesn't make him a spammer (didn't anyone SEE how few emails that he sent?). Nobody can be sure, and Comcast shouldn't rat out someone who sent in a complaint -- but Comcast, are you sure Koitsu emailed the message or was it remailed by the listserv? If so -- then this is between the listserv admin and the complainer, and you shouldn't get involved.

Anyway -- that's this incident. I keep reading incident after incident after incident of bungled or questionable mail administration around the control of outgoing spam. User errors or user neglect is probably responsible for half of these. But where is the discretion, that human factor, in handling the other half? That's the saddening, maddening pattern that frustrates me.

Spam is tough. There's no "field day" here -- I feel for both sides of this very tough issue. What I have no patience for is people treating others as less than deserving of respect and dignity. Call me old-fashioned, but if more people cared for one another, it would be a brighter world.

If Comcast is going to stand by their decision to block outbound 25 as a reactive measure, then technically capable Comcast users ought to continue to applaud that. I know that I never wanted my Internet access to have a PlaySkool interface. Let AOL have those "See Spot run!" customers. But, please, calling koitsu See Profile a spammer is not customer support and nobody should be trying to explain why he should just live with it. It's a sign that something is broken and needs to be fixed.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
More features, more fun, Join BroadbandReports.com, it's free...


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

1 edit
said by funchords:

But, please, calling koitsu See Profile a spammer is not customer support and nobody should be trying to explain why he should just live with it. It's a sign that something is broken and needs to be fixed.
Thanks, your sentiments are greatly appreciated.

The part that frustrates me (and I apologise in advance if this sounds narcissistic): I'm the perfect candidate to work with Comcast to get this fixed. This is where having a good technical skill set comes into play.

I understand that by this point most of the support reps are probably attuned to "What is a trojan?? What do you mean my computer sent spam?? I just want my mail to work!" responses from customers. But I'm not one of those, and I did my best to make the Abuse guy aware of that fact (and he did acknowledge it). I was hoping it would establish a sense of trust.

It does appear that the reasoning behind why Comcast doesn't "work more with customers" on issues like this is because of either managerial red tape (paranoia), or legal aspects. I understand the "they don't provide details to minimise retaliation" aspect, and I can see the justification in that. But there needs to be some common ground established between the customer and the provider.

My reasons for being wary/untrustworthy at this point, I feel, are justified. I sincerely believe at this point, one of these is what's happening here. This is purely speculative, just for the record:

1) Outound mail (sent through Comcast's mail servers) are scanned on Comcast's systems using spam analysis software, and if the mail receives a high score, sets a "red flag" somewhere with Abuse/whomever to put an ACL on the account.

Along those same lines, maybe they use something like log analysis software and saw that within X number of minutes or seconds I sent X number of mails, and that caused a "red flag". This type of system is very common, and needs to be tuned appropriately to get accurate results; too sensitive and situations like this happen.

2) My use of smtp.comcast.net port 25, without SMTP AUTH, flagged me within Comcast as a "possible spammer". Of course I've been using this method for years, so I'm not sure what would have caused Comcast to get sensitive about it *now*.

3) An Abuse person at Comcast received either a falsified report of spam (e.g. modified Received: headers) and simply assumed what was shown to be true.

If this is how the process works, this is very, very bad. I want to believe the Abuse folks are able to go onto the Comcast SMTP servers and verify that the Comcast IP did in fact sent the mail, AND that the mail queue IDs match. How do I know they're doing that and not just blindly trusting what some Internet jhonka sends them? (This is why I said an experiment would be interesting.)

4) An Abuse person at Comcast received a legitimate spam complaint, but misread or typo'd the IP in the Received headers, causing them to go on a wild goose chase. "Oh look, this guy is using smtp.comcast.net port 25 with no authentication!", even though the report may not have been about me.

I can spend the rest of my life speculating, I'm sure. It doesn't diminish the fact that this exact situation will happen to someone else. I'd love to work with Comcast to figure out what happened here, but their hands appear tied as I said before.


funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

4 edits
A couple of years ago, someone decided that they could save Comcast money at the abuse desk and dreamed up this dominoes cum chutes and ladders method to replace some of the workload.

It's now part automaton, part scripted, part Sandvine (yes, that Sandvine), part server, part reputation score and the people that support it -- good people -- get a bit overwhelmed due to the strange set of rules that apply (a user is a spammer if he sends 11 mails in 10 minutes of 9 lines or more using 8 from addresses or 7 blank lines at the end).

Rather than admit mistake, an overwhelmed and powerless employee in certain anti-customer cultures do not respond by admitting surprise or enlightenment, they rather maintain their frustratingly defenseless position despite evidence, despite debate, despite conclusive judgments to the contrary. Powerless over the situation, there is no professional curiosity, nor co-ownership of the customer's problem. Criticism doesn't lead to change there, it leads to entrenchment.

The report, faked or forged? -- regardless. There are two active threads, one right next to each other. Comcast called both OP's "spammers." One guy sends 500 messages, perhaps UCE (perhaps double opt-in, we just don't know) but certainly not the spam problem common to the Internet. The other guy is you. Comcast cut you both off. If cutting the two of you off is fighting spam, then Comcast is bringing squirt guns to a forest fire.

And in both threads, helpful people (and sincerely so) trying to explain why what happened happened -- lost in the technical detail of what tripped what without regard to the view from just a few steps farther away: good customers are getting bad experiences. That's okay, it's just justifiable as "collateral damage" in a war to help ensure "a good experience for most of our users."

I, for one, am sick of it.

These aren't Freebie NetZero accounts. This isn't Hotmail (sorry). This is paid-for premium Internet service! Customers deserve better.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
More features, more fun, Join BroadbandReports.com, it's free...


bigchris
Do Not Shoot The Messenger
Premium,MVM
join:2002-04-29
Leesburg, VA
reply to koitsu
Koitsu, Funchords, I didn't want to let this sit and become gospel truth because it isn't addressed.

Koitsu, I can assure you that your speculations are not accurate.

Funchords, your comment about sending rates that will get you labeled as a spammer as not accurate either, they are simply limits.


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
said by bigchris:

Koitsu, Funchords, I didn't want to let this sit and become gospel truth because it isn't addressed.

Koitsu, I can assure you that your speculations are not accurate.

Funchords, your comment about sending rates that will get you labeled as a spammer as not accurate either, they are simply limits.
I want to believe you bigchris See Profile, but the fact of the matter still stands: Comcast applied an outbound block on my modem for TCP port 25 due to "a report of spam", yet cannot actually provide me any evidence of it happening -- because all the evidence I have shows no such thing. My evidence shows there was no outbound SMTP spam sent from my connection on, or even around, September 2nd.

Why this matter concerns me so much:

Based on what you've told me earlier in this thread, what the Abuse individual stated isn't accurate -- what port you send mail through makes no difference regarding how Comcast handles spam reports.

This means that the *exact same situation could happen again*, which could in fact result in either 1) my inability to send mail from my Comcast service entirely (e.g. 25, 465, and 587 all get blocked), or 2) possibly termination of my service.

THAT is why I'm so concerned. I don't want it to happen again, and for that to happen, I need to know *details*, and work with someone, sharing evidence and being fair about it.

This *also* makes me question whether or not the Abuse person was telling me the truth when it came to his claim that the block was put in place "because of Comcast receiving a report of my IP sending spam".

It's to the point where I'd even be willing to sign an NDA (stopping further discussion on my part regarding this problem) just so I could get details on what happened. I realise this latter will probably make some forum folks say "Great dude, real great, just give in to the system and be a drone", but I'm trying to be reasonable, and I am worried for the above two reasons.

In no way shape or form am I complaining just for the sake of doing so -- I really am concerned/worried this situation will happen again.


bigchris
Do Not Shoot The Messenger
Premium,MVM
join:2002-04-29
Leesburg, VA
Koitsu, I said your speculations weren't accurate, I didn't say that the Abuse dept lied to you.

We will not block your port 587 or 465. You need to authenticate to use those ports so in effect you are saying it's you that sent the mail.

Now if it turns out you have or ever are trojan'd and we deem it significant enough to warn you, we'll contact you directly via the phone. We've done this in the past many times when it's clear a customer has a serious problem.

Can we end this now please?


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

1 edit
said by bigchris:

Koitsu, I said your speculations weren't accurate, I didn't say that the Abuse dept lied to you.

We will not block your port 587 or 465. You need to authenticate to use those ports so in effect you are saying it's you that sent the mail.

Now if it turns out you have or ever are trojan'd and we deem it significant enough to warn you, we'll contact you directly via the phone. We've done this in the past many times when it's clear a customer has a serious problem.

Can we end this now please?
No, because this just induces even more questions.

What you're telling me in the above paragraphs is essentially the following: "if you use SMTP AUTH to authenticate yourself with our mail servers, regardless of port #, then we won't block you".

None of this explains what caused Comcast to 1) suddenly block outbound TCP port 25, and 2) tell me that I sent spam through their mail servers on September 2nd.

Why did Comcast not simply send me an Email stating "we see you are using smtp.comcast.net port 25 without authentication. You need to use authentication to utilise our mail servers. To force you into doing that, we've put up a block on port 25. You'll need to use ports 587 or 465, which require authentication, from this point on"?

Why did the Support (not Abuse) rep. I spoke to not tell me that? Why didn't the Abuse rep. tell me that?

Finally: yes, of course I "sent the mail", if by "sent the mail" you mean the 11 I sent on September 2nd. I already admitted to sending all 11 of those (non-spam) mails, through smtp.comcast.net:25. I'm telling you flat out, NONE of those mails are spam. I can gladly send you, or any other Comcast rep., all 11 of those mails, as well as all 11 log entries in my mailserver, and you can cross-reference the timestamps and the mail queue IDs. Like I said, *I* have evidence/proof that I did not send any spam, but Comcast is not willing to work with me to try and figure out what really happened.

Or was what I was told (re: "you sent spam") a lie, and it was really just an attempt to get me to use SMTP AUTH? If so, no problem -- just say that!

KookyMan

join:2001-09-09
Clio, MI
The sad thing Koitsu, if you push that by providing logs of your mail server/etc, they will probably crack on you for running a mail server since that's "obviously not consumer use" (despite the fact that us geeks DO use servers in our residential environment.) Yes, I know its semantics since they aren't "public" servers, but you get what I'm prodding at.