dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
639

Paul928
join:2000-05-06
Haverhill, MA

Paul928 to Sunny

Member

to Sunny

Re: Constant Guard Security Alert?

said by Sunny:

Check the addressee for the email you received and the email headers. I occasionally get those, but they are not actually from a Comcast domain.

When I do, I give the header info to ComcastSteve and he reports them.

Here are the addresses:

Received: by 10.224.70.205 with SMTP id e13mr2149780qaj.77.1355137742039;
Mon, 10 Dec 2012 03:09:02 -0800 (PST)
Return-Path:
Received: from qmta04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net. [2001:558:fe14:43:76:96:62:40])
by mx.google.com with ESMTP id p4si8027436qct.98.2012.12.10.03.09.01;
Mon, 10 Dec 2012 03:09:01 -0800 (PST)
Received-SPF: neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) client-ip=2001:558:fe14:43:76:96:62:40;
Authentication-Results: mx.google.com; spf=neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) smtp.mail=online.communications@alerts.comcast.net; dkim=pass (test mode) header.i=@comcast.net
Received: from imta06.westchester.pa.mail.comcast.net ([76.96.62.53])
by qmta04.westchester.pa.mail.comcast.net with comcast
id Zn8q1k00218vZRY54n91sL; Mon, 10 Dec 2012 11:09:01 +0000
Received: from qmta01-mdp.westchester.pa.bo.comcast.net ([76.96.68.101])
by imta06.westchester.pa.mail.comcast.net with comcast
id ZmrW1k00o2B5erw06n5h3l; Mon, 10 Dec 2012 11:05:41 +0000
Received: from omta02-mdp.westchester.pa.bo.comcast.net ([76.96.53.12])
by qmta01-mdp.westchester.pa.bo.comcast.net with comcast
id ZlBz1k0010FoFkC01n5hov; Mon, 10 Dec 2012 11:05:41 +0000
Received: from PACDCMSSAPP01 ([68.87.97.254])
by omta02-mdp.westchester.pa.bo.comcast.net with bizsmtp
id Zn5h1k00F5VJHpw07n5hxU; Mon, 10 Dec 2012 11:05:41 +0000
From: "Comcast Online Communications"
Paul928

Paul928

Member

Well after doing all those scans most of the evening, I still come up with nothing found! I'm starting to believe as many here that this may be a false positive of some sort....From the little research that I've done on this subject, I guess this has been going on for a while, and people seem to come up with the same results as I have.... Just wondering when or If Xfinity is going to fix this, and stop scaring the crap out of it's customers!

jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

jlivingood

Premium Member

Not all malware infections are detected using free or commercial tools - this is not like anti-virus. Something to keep an eye on.

We're developing some new tools & capabilities in 2013 that will take this to the next level, since IPv4 NAT currently is a limiting technical factor for us.

KHAOS1
@comcast.net

KHAOS1 to Paul928

Anon

to Paul928
Do you have a wireless router either with no password or a very weak one? Someone piggyback on your network! Does your neighbor have your password? Has your daughter given it to a friend? Check your router logs, see how many connected devices you see, verify mac addresses.
smith_in_co
join:2003-12-12
Colorado Springs, CO

1 edit

smith_in_co to jlivingood

Member

to jlivingood
I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities, but like Paul628 mention I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers. Not to mention the hours/$ your customers are spending working on something that can't be found.

As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.

Also I know that these bot alerts have been around since 2010 and I have been a comcast/aldephia customer for over 25 years, but my issues with getting them only started when the new version was put in last week, so please also review what changed last week that might be causing more false alerts than were created in the past.

Thank You.
smith_in_co

smith_in_co to KHAOS1

Member

to KHAOS1
Yes, I have a wireless router using a long WPA2 character key using all types of characters, in addition I use software such as insidder, so I know what other wifi networks are in the area, and I review my routers reports to see if there is any access from computers other than ours.

Paul928
join:2000-05-06
Haverhill, MA

Paul928

Member

I too have a wireless router, that is pretty well locked down....And no my daughter has never given out the password to anybody! Just out of curiosity, I'm wondering if people that have Constant Guard on their computer are also getting these warnings, or for that matter if a scan is done with Constant Guard, has any such Malware been detected? I also find that between all these programs and scans being run (free or paid) that at least one of them would be able to detect this "mystery" malware! I for one have spent enough of my time on this , and outside of actually doing a format on both my computers, have done all I can do! I am almost tempted to download a copy of Constant Guard to see as an experiment if it picks up on this exploit, even though I have always had a personal policy to keep my computers as clean as I can by not installing resource hog programs like Constant Guard.....Might be worth it though just to ease my own mind.

Sunny
Runs from Clowns

join:2001-08-19

Sunny to Paul928

to Paul928
Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."

Notice the two bolded email domains. I would expect an email from Comcast to come from the comcast.com domain, so I was immediately suspicious.
================================

This morning I got an odd email to one of my Comcast email accounts, one I don't use heavily, just have some political stuff occasionally.

At first glance, I thought the subject was Constant Guard Alert. That struck me as odd since I have not installed Constant Guard.

The title is actually Comcast Guard Alert. Hmmm. It says it is from Comcast@security.com. Another hmmmm.

It has a link it wants me to click. The link is disguised as "Account Reconciliation" which covers the actual link ---> ht tp://butrflydrms213.home.comcast.net

Email headers:

Return-Path: root@wiki.poweroasis.com
Received: from imta31.westchester.pa.mail.comcast.net (LHLO
imta31.westchester.pa.mail.comcast.net) (76.96.62.25) by
sz0115.ev.mail.comcast.net with LMTP; Fri, 15 Jun 2012 21:07:49 +0000 (UTC)
Received: from Ubuntu11x64Svr ([84.92.25.153])
by imta31.westchester.pa.mail.comcast.net with comcast
id Nl7o1j01t3JBZMQ0Xl7oxZ; Fri, 15 Jun 2012 21:07:49 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.0 cv=WZ2OmjdX c=1 sm=1
a=p3riUwRaJWU4p/K8+3S3WQ==:17 a=YWNZQc2wkpcA:10 a=HRn4fpiT8EsA:10
a=cVHRbVdmAAAA:8 a=C_IRinGWAAAA:8 a=Baj1MykYeoxCemNOp18A:9
a=p3riUwRaJWU4p/K8+3S3WQ==:117
Received: from root by Ubuntu11x64Svr with local (Exim 4.76)
(envelope-from )
id 1Sfdi5-0006N0-6g
for xxxxxxx@comcast.net; Fri, 15 Jun 2012 22:05:37 +0100
To: xxxxxxx@comcast.net
Subject: Comcast Guard Alert
X-PHP-Originating-Script: 0:send.php
From: comcast@security.com
Content-Type: text/html
Message-Id:
Date: Fri, 15 Jun 2012 22:05:37 +0100
X-Brightmail-Tracker: AAAAAA==
X-Brightmail-Tracker: AAAAAA==

Email message:

Xfinity

Constant Guard Alert

Dear XFINITY Customer,

Please read this entire message.

In an effort to improve our customers' experience,
Comcast has been reviewing some user accounts and sending e-mails that direct customers to an

Account Reconciliation
ht tp://butrflydrms213.home.comcast.net

We appreciate your prompt attention to this important security notice.

Sincerely,

Constant Guard from XFINITY
===========================

Pfish?


jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

1 recommendation

jlivingood to smith_in_co

Premium Member

to smith_in_co
said by smith_in_co:

I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities,

It is actually the reverse: It's not that IPv6 is preventing anything -- it is more that IPv4 NAT is. IPv6 actually enables more things.
said by smith_in_co:

I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers.

While the language of the alerts is written to acknowledge the possibility of false positives, we think it'd be a disservice not to tell customers that we have observed one of their hosts participating in a bot network. Keep in mind that malware removal tools are in their relative infancy compared to, say, anti-virus tools. Bots are designed to be difficult to find and difficult to remove. Were that not the case, bots would not be so successful
getting onto trusted hosts on some of the world's most secure networks -- not to mention your average home LAN.
said by smith_in_co:

As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.

What triggers the alert is customers participating in malicious bot networks.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to Sunny

Premium Member

to Sunny
said by Sunny:

Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."...

Just because you received a phishing email pretending to be from Comcast, does not mean that the OP did. In fact when the OP went to »amibotted.comcast.net/ , that site confirmed that Comcast had indeed identified his connection as being a bot host:
said by Paul928:

According to that link, I am indeed infected with the ad aware virus or something like that...

Not only that, but the post containing the headers from the OP's email to which you replied clearly shows that the email received by the OP was indeed from Comcast.
smith_in_co
join:2003-12-12
Colorado Springs, CO

smith_in_co to jlivingood

Member

to jlivingood
What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

1 recommendation

pflog

MVM

said by smith_in_co:

What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.

It's not Comcast's job to police your LAN or identify the malware. They detected it and notified you. It's in your hands now to find it. Why is it their responsibility to find your bot/malware?
smith_in_co
join:2003-12-12
Colorado Springs, CO

1 recommendation

smith_in_co

Member

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

1 recommendation

pflog

MVM

said by smith_in_co:

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.

This is why I like having a FreeBSD (or Linux, etc) type box as a router. I can tcpdump and see what's going on with the network and find it myself.

But yes, if all you want to know is IP or host names, then that seems reasonable. But given the amount of data they must go through, it's not inconceivable that the throw this kind of stuff away once it's reported to save on space.

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru to smith_in_co

Premium Member

to smith_in_co
pflog beat me too it...
smith_in_co
join:2003-12-12
Colorado Springs, CO

1 recommendation

smith_in_co

Member

But their software is supposedly seeing something from my modem's IP to some other point in space. This is the information that I want them to provide Once I know what/where that point is I can locate where the access is coming from at my router.

Sunny
Runs from Clowns

join:2001-08-19

1 recommendation

Sunny to NetFixer

to NetFixer
My post simply gave an example of an email which was a phishing message. Nothing more, nothing less.