Paul928 join:2000-05-06 Haverhill, MA |
to Sunny
Re: Constant Guard Security Alert?said by Sunny:Check the addressee for the email you received and the email headers. I occasionally get those, but they are not actually from a Comcast domain.
When I do, I give the header info to ComcastSteve and he reports them. Here are the addresses: Received: by 10.224.70.205 with SMTP id e13mr2149780qaj.77.1355137742039; Mon, 10 Dec 2012 03:09:02 -0800 (PST) Return-Path: Received: from qmta04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net. [2001:558:fe14:43:76:96:62:40]) by mx.google.com with ESMTP id p4si8027436qct.98.2012.12.10.03.09.01; Mon, 10 Dec 2012 03:09:01 -0800 (PST) Received-SPF: neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) client-ip=2001:558:fe14:43:76:96:62:40; Authentication-Results: mx.google.com; spf=neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) smtp.mail=online.communications@alerts.comcast.net; dkim=pass (test mode) header.i=@comcast.net Received: from imta06.westchester.pa.mail.comcast.net ([76.96.62.53]) by qmta04.westchester.pa.mail.comcast.net with comcast id Zn8q1k00218vZRY54n91sL; Mon, 10 Dec 2012 11:09:01 +0000 Received: from qmta01-mdp.westchester.pa.bo.comcast.net ([76.96.68.101]) by imta06.westchester.pa.mail.comcast.net with comcast id ZmrW1k00o2B5erw06n5h3l; Mon, 10 Dec 2012 11:05:41 +0000 Received: from omta02-mdp.westchester.pa.bo.comcast.net ([76.96.53.12]) by qmta01-mdp.westchester.pa.bo.comcast.net with comcast id ZlBz1k0010FoFkC01n5hov; Mon, 10 Dec 2012 11:05:41 +0000 Received: from PACDCMSSAPP01 ([68.87.97.254]) by omta02-mdp.westchester.pa.bo.comcast.net with bizsmtp id Zn5h1k00F5VJHpw07n5hxU; Mon, 10 Dec 2012 11:05:41 +0000 From: "Comcast Online Communications" |
|
Paul928 |
Well after doing all those scans most of the evening, I still come up with nothing found! I'm starting to believe as many here that this may be a false positive of some sort....From the little research that I've done on this subject, I guess this has been going on for a while, and people seem to come up with the same results as I have.... Just wondering when or If Xfinity is going to fix this, and stop scaring the crap out of it's customers! |
|
jlivingood Premium Member join:2007-10-28 Philadelphia, PA |
Not all malware infections are detected using free or commercial tools - this is not like anti-virus. Something to keep an eye on.
We're developing some new tools & capabilities in 2013 that will take this to the next level, since IPv4 NAT currently is a limiting technical factor for us. |
|
|
KHAOS1 to Paul928
Anon
2012-Dec-11 9:15 am
to Paul928
Do you have a wireless router either with no password or a very weak one? Someone piggyback on your network! Does your neighbor have your password? Has your daughter given it to a friend? Check your router logs, see how many connected devices you see, verify mac addresses. |
|
1 edit |
to jlivingood
I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities, but like Paul628 mention I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers. Not to mention the hours/$ your customers are spending working on something that can't be found.
As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.
Also I know that these bot alerts have been around since 2010 and I have been a comcast/aldephia customer for over 25 years, but my issues with getting them only started when the new version was put in last week, so please also review what changed last week that might be causing more false alerts than were created in the past.
Thank You. |
|
smith_in_co |
to KHAOS1
Yes, I have a wireless router using a long WPA2 character key using all types of characters, in addition I use software such as insidder, so I know what other wifi networks are in the area, and I review my routers reports to see if there is any access from computers other than ours. |
|
Paul928 join:2000-05-06 Haverhill, MA |
I too have a wireless router, that is pretty well locked down....And no my daughter has never given out the password to anybody! Just out of curiosity, I'm wondering if people that have Constant Guard on their computer are also getting these warnings, or for that matter if a scan is done with Constant Guard, has any such Malware been detected? I also find that between all these programs and scans being run (free or paid) that at least one of them would be able to detect this "mystery" malware! I for one have spent enough of my time on this , and outside of actually doing a format on both my computers, have done all I can do! I am almost tempted to download a copy of Constant Guard to see as an experiment if it picks up on this exploit, even though I have always had a personal policy to keep my computers as clean as I can by not installing resource hog programs like Constant Guard.....Might be worth it though just to ease my own mind. |
|
SunnyRuns from Clowns
join:2001-08-19 |
to Paul928
Paul, Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition." Notice the two bolded email domains. I would expect an email from Comcast to come from the comcast. com domain, so I was immediately suspicious. ================================ This morning I got an odd email to one of my Comcast email accounts, one I don't use heavily, just have some political stuff occasionally.
At first glance, I thought the subject was Constant Guard Alert. That struck me as odd since I have not installed Constant Guard.
The title is actually Comcast Guard Alert. Hmmm. It says it is from Comcast@security.com. Another hmmmm.
It has a link it wants me to click. The link is disguised as "Account Reconciliation" which covers the actual link ---> ht tp://butrflydrms213.home.comcast.net
Email headers:
Return-Path: root@wiki.poweroasis.com Received: from imta31.westchester.pa.mail.comcast.net (LHLO imta31.westchester.pa.mail.comcast.net) (76.96.62.25) by sz0115.ev.mail.comcast.net with LMTP; Fri, 15 Jun 2012 21:07:49 +0000 (UTC) Received: from Ubuntu11x64Svr ([84.92.25.153]) by imta31.westchester.pa.mail.comcast.net with comcast id Nl7o1j01t3JBZMQ0Xl7oxZ; Fri, 15 Jun 2012 21:07:49 +0000 X-CAA-SPAM: 00000 X-Authority-Analysis: v=2.0 cv=WZ2OmjdX c=1 sm=1 a=p3riUwRaJWU4p/K8+3S3WQ==:17 a=YWNZQc2wkpcA:10 a=HRn4fpiT8EsA:10 a=cVHRbVdmAAAA:8 a=C_IRinGWAAAA:8 a=Baj1MykYeoxCemNOp18A:9 a=p3riUwRaJWU4p/K8+3S3WQ==:117 Received: from root by Ubuntu11x64Svr with local (Exim 4.76) (envelope-from ) id 1Sfdi5-0006N0-6g for xxxxxxx@comcast.net; Fri, 15 Jun 2012 22:05:37 +0100 To: xxxxxxx@comcast.net Subject: Comcast Guard Alert X-PHP-Originating-Script: 0:send.php From: comcast@security.com Content-Type: text/html Message-Id: Date: Fri, 15 Jun 2012 22:05:37 +0100 X-Brightmail-Tracker: AAAAAA== X-Brightmail-Tracker: AAAAAA==
Email message:
Xfinity
Constant Guard Alert
Dear XFINITY Customer,
Please read this entire message.
In an effort to improve our customers' experience, Comcast has been reviewing some user accounts and sending e-mails that direct customers to an
Account Reconciliation ht tp://butrflydrms213.home.comcast.net
We appreciate your prompt attention to this important security notice.
Sincerely,
Constant Guard from XFINITY ===========================
Pfish? |
|
jlivingood Premium Member join:2007-10-28 Philadelphia, PA
1 recommendation |
to smith_in_co
said by smith_in_co:I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities, It is actually the reverse: It's not that IPv6 is preventing anything -- it is more that IPv4 NAT is. IPv6 actually enables more things. said by smith_in_co:I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers. While the language of the alerts is written to acknowledge the possibility of false positives, we think it'd be a disservice not to tell customers that we have observed one of their hosts participating in a bot network. Keep in mind that malware removal tools are in their relative infancy compared to, say, anti-virus tools. Bots are designed to be difficult to find and difficult to remove. Were that not the case, bots would not be so successful getting onto trusted hosts on some of the world's most secure networks -- not to mention your average home LAN. said by smith_in_co:As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem. What triggers the alert is customers participating in malicious bot networks. |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
to Sunny
said by Sunny:Paul,
Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."... Just because you received a phishing email pretending to be from Comcast, does not mean that the OP did. In fact when the OP went to » amibotted.comcast.net/ , that site confirmed that Comcast had indeed identified his connection as being a bot host: said by Paul928: According to that link, I am indeed infected with the ad aware virus or something like that... Not only that, but the post containing the headers from the OP's email to which you replied clearly shows that the email received by the OP was indeed from Comcast. |
|
|
to jlivingood
What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer. |
|
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA
1 recommendation |
pflog
MVM
2012-Dec-11 3:58 pm
said by smith_in_co:What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer. It's not Comcast's job to police your LAN or identify the malware. They detected it and notified you. It's in your hands now to find it. Why is it their responsibility to find your bot/malware? |
|
1 recommendation |
I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.
As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT. |
|
pflogBueller? Bueller? MVM join:2001-09-01 El Dorado Hills, CA
1 recommendation |
pflog
MVM
2012-Dec-11 4:10 pm
said by smith_in_co:I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.
As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT. This is why I like having a FreeBSD (or Linux, etc) type box as a router. I can tcpdump and see what's going on with the network and find it myself. But yes, if all you want to know is IP or host names, then that seems reasonable. But given the amount of data they must go through, it's not inconceivable that the throw this kind of stuff away once it's reported to save on space. |
|
ropeguru Premium Member join:2001-01-25 Mechanicsville, VA |
to smith_in_co
pflog beat me too it... |
|
1 recommendation |
But their software is supposedly seeing something from my modem's IP to some other point in space. This is the information that I want them to provide Once I know what/where that point is I can locate where the access is coming from at my router. |
|
SunnyRuns from Clowns
join:2001-08-19
1 recommendation |
to NetFixer
My post simply gave an example of an email which was a phishing message. Nothing more, nothing less. |
|