Comcast.net - Spam filters rejecting mail
Question asked by Robert Pinkerton - 10/17/2014 at 10:37 AM
Unanswered
We work with a number of contractors, many of whom use comcast.net email accounts. Seemingly sporadically, comcast is rejected by HostKarma - YellowList and SpamCannibal. It seems overly protective to flag the entire comcast.net domain as Spam. Is there some middle ground? I don't want to open the door to all kinds of additional junk mail but need to communicate with these contractors. I'm using Bruce's excellent settings in Spam Filtering with HostKarma - Yellowlist scoring 10 and SpamCannibal scoring the same. My Filtering is set to delete a message at 15 but I'm not seeing any scoring in the SMTP log. Both RBLs are checked to be used for incoming SMTP blocking.
 
All insights gratefully accepted.
 
Bob
 
Log Entries
[22816611] rsp: 554 Sending address not accepted due to spam filter
[22816611] Mail rejected due to SMTP Spam Blocking: HostKarma - Yellowlist, SpamCannibal
[22816611] cmd: RSET
[22816611] rsp: 250 OK
[22816611] disconnected at 10/14/2014 11:51:53 AM

8 Replies

Reply to Thread
0
Bruce Barnes Replied
If you have completely followed my document, then something on Hostkarma - Yellowlist will be deleted immediately, regardless of score.
 
Are the senders using the COMCAST.NET domain, or is their domain hosted by Comcast?

If their domain is hosted by Comcast, then the domain may be what's listed in the spam databases.
 
In testing from my Comcast account, I found no issues with either of the two tests
 
Here's the logs from a test I just did:
 
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 220 securemail.chicagonettech.com  Fri, 17 Oct 2014 19:14:12 +0000 UTC | SmarterMail Enterprise 12.4
[2014.10.17] 14:14:12 [69.252.207.34][55462094] connected at 10/17/2014 2:14:12 PM
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: EHLO resqmta-ch2-02v.sys.comcast.net
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 250-securemail.chicagonettech.com Hello [69.252.207.34]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: STARTTLS
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 220 Start TLS negotiation
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: EHLO resqmta-ch2-02v.sys.comcast.net
[2014.10.17] 14:14:12 [69.252.207.34][55462094] rsp: 250-securemail.chicagonettech.com Hello [69.252.207.34]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2014.10.17] 14:14:12 [69.252.207.34][55462094] cmd: MAIL FROM:<
redacted@comcast.net> SIZE=3472
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK <
redacted@comcast.net> Sender ok
[2014.10.17] 14:14:14 [69.252.207.34][55462094] cmd: RCPT TO:<
redacted@chicagonettech.com>
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK <rredacted@chicagonettech.com> Recipient ok
[2014.10.17] 14:14:14 [69.252.207.34][55462094] cmd: DATA
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.10.17] 14:14:14 [69.252.207.34][55462094] rsp: 250 OK
[2014.10.17] 14:14:14 [69.252.207.34][55462094] Data transfer succeeded, writing mail to 69550204768.eml
[2014.10.17] 14:15:14 [69.252.207.34][55462094] cmd: QUIT
[2014.10.17] 14:15:14 [69.252.207.34][55462094] rsp: 221 Service closing transmission channel
[2014.10.17] 14:15:14 [69.252.207.34][55462094] disconnected at 10/17/2014 2:15:14 PM
[2014.10.17] 14:14:15 [04768] Delivery started for redacted@comcast.net at 2:14:15 PM

[2014.10.17] 14:14:19 [04768] Spam check results: [_SPF: Pass], [BARRACUDA - BRBL: passed], [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING!: passed], [GBUDB: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [MAILSPIKE BL: passed], [MAILSPIKE Z: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS - CBL: passed], [SPAMHAUS - CSS: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: Pass], [SURBL - ABUSE BUSTER: passed], [SURBL - JWSPAMSPY: passed], [SURBL - MALWARE: passed], [SURBL - PHISHING: passed], [SURBL - SA BLACKLIST: passed], [SURBL - SPAMCOP WEB: passed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed]
 
[2014.10.17] 14:14:21 [04768] Starting local delivery to redacted@chicagonettech.com
[2014.10.17] 14:14:21 [04768] Delivery for redacted@comcast.net to redacted@chicagonettech.com has completed (Delivered) Filter: None
[2014.10.17] 14:14:21 [04768] End delivery to
redacted@chicagonettech.com
[2014.10.17] 14:14:21 [04768] Delivery finished for redacted@comcast.net at 2:14:21 PM [id:69550204768]
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Andrew Stein Replied
 
Before I start, you can see the scoring of emails in the Delivery log. However, if something triggers enough checks that have Enable for Incoming SMTP blocking checked so that the score is above the SMTP Blocking threshold, the get rejected right away and never make it to the delivery queue.

Anyway, first take off SMTP blocking for HostKarma Yellow. This is the description of the yellow list:
"If the result is 127.0.0.3 then the host is yellow listed. Yellow listing means that host generates some spam and some nonspam (examples: yahoo.com, hotmail.com). What that means is that this host should never be blacklisted and that other IP based blacklists should be bypassed to prevent false positives."
I've marked my score down to 0 for this check.

Regarding SpamCannibal, what an IP Address that is failing this check?
0
Bruce Barnes Replied
See post immediately above yours. I tested Comcast using the same configuration and nothing was blocked.

The OPs situation has other issues
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Andrew Stein Replied
69.252.207.33 does fail the HostKarma yellow list though as per below.

[2014.10.17] 07:42:46 [01040] Delivery started for redacted@comcast.net at 7:42:46 AM
[2014.10.17] 07:42:50 [01040] Spam check results: [BARRACUDA - BRBL: passed], [CBL - ABUSE SEAT: passed], [GBUDB.COM: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMHAUS - CBL: passed], [SPAMHAUS - CSS: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_SPF: Pass], [_DK: None], [_DKIM: Pass], [HOSTKARMA - NOBLACKLIST: passed], [HOSTKARMA - WHITELIST: passed], [HOSTKARMA - YELLOW LIST: failed], [SORBS - SPAM: passed], [SURBL - MULTI.SURBL.ORG: passed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed], [URIBL - SEM-FRESH15: passed], [URIBL - SPAMHAUS: passed]

> 33.207.252.69.hostkarma.junkemailfilter.com
Server: mailer2.workgroup.local
Address: 192.168.250.65

Non-authoritative answer:
Name: 33.207.252.69.hostkarma.junkemailfilter.com
Addresses: 127.0.1.1
127.0.0.3

>

0
Robert Pinkerton Replied
Thanks, Bruce. From the SMTP log I see, in one specific case, an email address of comcast.net but the server is as below:

cmd: EHLO mailservernameredacted.secureserver.net - the IP address is 173.201.193.104 which I show as belonging to GoDaddy.
0
Robert Pinkerton Replied
Thanks, Andrew. I meant the Delivery log for scoring not the SMTP log. I updated in a comment to Bruce above which may be the source of this issue.
0
Andrew Stein Replied
No problem. For whatever it's worth, 173.201.193.104 is listed on HostKarma's Yellow list so emails from there will also trigger that rule.
0
Robert Pinkerton Replied
Much appreciated. I was hoping it was something simple like comcast being blocked but this will be a little more involved. Truly appreciate your assistance.

Reply to Thread