Linux Home

(Last updated: Wed Sep 24, 2008)

Comcast mail rant!

Update: 09/24/2008 - I've made a few corrections and added information about Comcast not liking having more than one simultaneous SMTP connections with the same user ID. Something that's very easy to do with Linux.

Update: 04/16/2007 - I just found out that Comcast filters outgoing emails. I created a program which checks URL and reports back it's findings by email (Link Checker). When the link count was around 190 links (URLs/href) then I couldn't send out the email. If it was less the email would be sent. Not really much of a rant, more of some information that I figured out by trial and error (that doesn't mean it's correct).

I think I've also figured out why Comcast seems to think the email I'm sending is spam. I'm guessing that spammers are now using their botnets to send out spam in small quantities (one or two messages at a time). If you've got a couple million zombie bots, each sending only a few messages a day it lowers the chance that someone will catch the presence of a zombie bot.

On 02/21/2007 I received a rather strange email message in my mail box. A security announcement from Comcast, a quick look at it and it didn't look valid. It was HTML source and nothing else (MSHTML actually with lots of <TABLE height=275 cellSpacing=6 cellPadding=6 width=432 border=0> in the document making it unreadable). I checked the URLs and they didn't match (see below). Just one more spam/phishing expedition, at least that's what I thought. A few days later my Comcast email addresses were no longer able to send email. This had been happening from time to time over the last few months, so this wasn't too unusual. Next day the same thing, no outgoing email. I tried a few obvious things like port 587 but nothing. Later, a call to the support desk didn't get me very far as they didn't seem to know much about this recent change and had me going through the usual script. I will give this tech his due, he was quick to realize that script wouldn't work and he used his head to come up with solutions. He was also very polite! It would have been nice if one side of Comcast support informed the other what was going on. Anyway halfway through the call I managed to get port 587 setup and working with Thunderbird (it hadn't worked in the hours before and I attempted all sorts of configurations). The CS tech documented the solution I had performed and the call ended. Now that Thunderbird was working it was time to work on Sendmail.

Now lets take a quick look at that email I received a few days before hand. As I said the message was unintelligible as it was filled with more HTML tags than content (MSHTML tags! and/or very bad HTML tags). Strange I don't have that problem when I send HTML mail. So I received no intelligible message that this was in progress but a friend had recently mentioned having mail problems and told me he had to change the port number. Here's a sample, I was very (un)impressed with the links such as:

  • <a href=""></a>
  • <a href=""></a>
  • <a href=""></a>

As you can see, the source HTML and where the links go don't look quite right. They suggest Comcast but someone else could have registered the above address (spammers do it all the time). Bravo Comcast, you know how to look like spam or phishers!

Okay, so let's look at a portion of the email header to see who it's from:

  Received: from abuse-garee (unknown[])
            by (alnrmhc12) with SMTP
            id <20070221071625b12001lnjoe>; Wed, 21 Feb 2007 07:16:25 +0000

Hmm, looks like it's spam or a phishing expedition, when I use my tools to determine the machine name (dnsname) I get no machine name. I go through a lot of trouble to help folks identify mail that tries to trick the end user and Comcast sends out legitimate email that looks like a phisher. That's real stupid Comcast!

Here's the rub, it's really from Comcast. They're trying to tell me I need to use a different port to send mail. So now that I've determined that I must change the port and that Comcast is asking to do just that let's figure out how to do that.

For Thunderbird it's not really hard. Just edit the outgoing mail server for each ID you have in Thunderbird (that is using Comcast to send email) and change the port from 25 to 587 (see Comcast FAQ #25 for more details). For Sendmail we have a lot of work to do.

So today (02/26), after all this, I decided to to copy the HTML source into a file so I can see it in Firefox. The first lines of the message says:

"ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. ... "

Uhm, no they haven't! Apparently Comcast thinks that my machines are spewing spam. Mostly it's Linux boxes so it's unlikely that there is a virus or trojan on those boxes (I run RootKit Hunter and I keep an eye on the general traffic, so I'm confident that I'm still in control. My Windows boxes barely run, I run one for work and it's pretty secure. My machines don't send out that much traffic at any one time. I'm puzzled as to why they think that I'm sending spam. But to be sure I'm going to add tools to further check for outgoing unusual traffic. I'm going to have to do a traffic analysis of my current network. It is possible that the combined devices (about a dozen) are requesting updates. I may have to move them to a private VLAN. I'm still not convinced that this is correct.

I have the following going for me:

  • I'm running Linux (since 1992), not Windows and I'm the administrator (but I do most work as a regular user).
  • I've been working with unix since 1985 and computers since 1978.
  • I'm a network services test engineer in AT&T Labs, I didn't get that job by accident. I had better know something about computers and networks or I wouldn't have kept the job this long (19 years).
  • I wrote a book on Linux and Home Automation! Okay, so that doesn't really prove that much! ;-)
  • I'm not so sure that I can't be wrong that I won't retract and apologize for anything above.