1
Comcast.net - Spam filters rejecting mail
Question asked by Robert Pinkerton - October 17, 2014 at 10:37 AM
Unanswered
We work with a number of contractors, many of whom use comcast.net email accounts. Seemingly sporadically, comcast is rejected by HostKarma - YellowList and SpamCannibal. It seems overly protective to flag the entire comcast.net domain as Spam. Is there some middle ground? I don't want to open the door to all kinds of additional junk mail but need to communicate with these contractors. I'm using Bruce's excellent settings in Spam Filtering with HostKarma - Yellowlist scoring 10 and SpamCannibal scoring the same. My Filtering is set to delete a message at 15 but I'm not seeing any scoring in the SMTP log. Both RBLs are checked to be used for incoming SMTP blocking.
 
All insights gratefully accepted.
 
Bob
 
Log Entries
[22816611] rsp: 554 Sending address not accepted due to spam filter
[22816611] Mail rejected due to SMTP Spam Blocking: HostKarma - Yellowlist, SpamCannibal
[22816611] cmd: RSET
[22816611] rsp: 250 OK
[22816611] disconnected at 10/14/2014 11:51:53 AM

2 Replies

Reply to Thread
0
Bruce Barnes Replied
October 17, 2014 at 12:31 PM
If you have completely followed my document, then something on Hostkarma - Yellowlist will be deleted immediately, regardless of score.
 
Are the senders using the COMCAST.NET domain, or is their domain hosted by Comcast?

If their domain is hosted by Comcast, then the domain may be what's listed in the spam databases.
 
In testing from my Comcast account, I found no issues with either of the two tests
 
Here's the logs from a test I just did:
 
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 220 securemail.chicagonettech.com  Fri, 17 Oct 2014 19:14:12 +0000 UTC | SmarterMail Enterprise 12.4
[2014.10.17] 14:14:12 [69.252.207.34][55462094] connected at 10/17/2014 2:14:12 PM
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: EHLO resqmta-ch2-02v.sys.comcast.net
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 250-securemail.chicagonettech.com Hello [69.252.207.34]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: STARTTLS
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 220 Start TLS negotiation
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: EHLO resqmta-ch2-02v.sys.comcast.net
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 250-securemail.chicagonettech.com Hello [69.252.207.34]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: MAIL FROM:<
redacted@comcast.net> SIZE=3472
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK <
redacted@comcast.net> Sender ok
[2014.10.17] 14:14:14 [69.252.207.34][55462094] cmd: RCPT TO:<
redacted@chicagonettech.com>
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK <rredacted@chicagonettech.com> Recipient ok
[2014.10.17] 14:14:14 [69.252.207.34][55462094] cmd: DATA
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK
[2014.10.17] 14:14:14 [69.252.207.34][55462094] Data transfer succeeded, writing mail to 69550204768.eml
[2014.10.17] 14:15:14 [69.252.207.34][55462094] cmd: QUIT
[2014.10.17] 14:15:14 [69.252.207.34][55462094] rsp: 221 Service closing transmission channel
[2014.10.17] 14:15:14 [69.252.207.34][55462094] disconnected at 10/17/2014 2:15:14 PM
[2014.10.17] 14:14:15 [04768] Delivery started for redacted@comcast.net at 2:14:15 PM

[2014.10.17] 14:14:19 [04768] Spam check results: [_SPF: Pass], [BARRACUDA - BRBL: passed], [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING!: passed], [GBUDB: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [MAILSPIKE BL: passed], [MAILSPIKE Z: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS - CBL: passed], [SPAMHAUS - CSS: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: Pass], [SURBL - ABUSE BUSTER: passed], [SURBL - JWSPAMSPY: passed], [SURBL - MALWARE: passed], [SURBL - PHISHING: passed], [SURBL - SA BLACKLIST: passed], [SURBL - SPAMCOP WEB: passed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed]
 
[2014.10.17] 14:14:21 [04768] Starting local delivery to redacted@chicagonettech.com
[2014.10.17] 14:14:21 [04768] Delivery for redacted@comcast.net to redacted@chicagonettech.com has completed (Delivered) Filter: None
[2014.10.17] 14:14:21 [04768] End delivery to
redacted@chicagonettech.com
[2014.10.17] 14:14:21 [04768] Delivery finished for redacted@comcast.net at 2:14:21 PM [id:69550204768]
 
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Andrew Stein Replied
October 17, 2014 at 12:36 PM
 
Before I start, you can see the scoring of emails in the Delivery log. However, if something triggers enough checks that have Enable for Incoming SMTP blocking checked so that the score is above the SMTP Blocking threshold, the get rejected right away and never make it to the delivery queue.

Anyway, first take off SMTP blocking for HostKarma Yellow. This is the description of the yellow list:
"If the result is 127.0.0.3 then the host is yellow listed. Yellow listing means that host generates some spam and some nonspam (examples: yahoo.com, hotmail.com). What that means is that this host should never be blacklisted and that other IP based blacklists should be bypassed to prevent false positives."
I've marked my score down to 0 for this check.

Regarding SpamCannibal, what an IP Address that is failing this check?

Reply to Thread