Friday, October 19, 2007

Comcast Mysteries: Am I a spambot ? & SMTP Port 25 or 587?

I've been a bit "miffed" lately.

A few nights ago Lavie couldn't find a few of her favorite cable channels. And a few others had gone "static" as well. We program our favorites into the TV's so we can skip the ones we don't watch, so by going though them manually, we figured out where they went and suspected a channel lineup change. This was later confirmed in the local paper.

So it was time to do some reprogramming of the televisions and recording units.

Then we got this mysterious email...

Assessing Abuse-garee

I'll spare you the details but it began a bit suspiciously on several levels.

Dear Comcast High-Speed Internet Customer,

Please read this entire message, review the required action(s) below,
and send a prompt reply message to acknowledge receipt of this email.

Explanation:

We have confirmed that your computer has been involved in attempted
virus propagation, an activity that is in violation of the Comcast Terms
of Service Agreement. The reporting parties have provided logged
information, which identifies the IP address of the computer that was
attempting to transmit the virus. The IP address listed was one that was
assigned to your computer at the date and time in question.
Also were a number of moderately-helpful generic suggestions on how my system may have become infected, mediation steps, and some "helpful" html-weblinks.

Since I have been on the record before about being suspicious about similar emails (Phish bait) I did some checking first before getting into a panic and responding.First I checked the HTML link code. They all seemed legit and did point back to legitimate Comcast website addresses.

Then I checked the IP address of the sender. It was in the range of Comcast owned addresses based on AIRN WHOIS. OK. So far so good. I then did a Google search on abuse-garee and found a handful of hits, including this one that was very helpful: Linux Home Automation - Comcast mail rant!So by now I was pretty comfortable believing that the email was legitimate from Comcast.

Am I compromised?

So, while I didn't think any of my systems were compromised I had to re-verify their status, just for my own personal peace-of-mind.

Alvis's Linux box hasn't been on for weeks, so I quickly discounted that one. How do I know? The pile of teen-detritus on top of her keyboard and blocking her pc cabinet door hasn't moved in that time. Besides, it's Linux. That's kinda like baiting an Apple user and telling them their pc is a virus-factory. Pick a fight elsewhere. You'll generally loose.So that left me a Vista system and two XP Home SP2 systems.

While I doubted I'd find anything, It is important to objectively verify or discount all potential reports of security breaches. My systems are all fully patched and up to date. I run a variety of security applications as well as a firewall (inbound/outbound monitoring), and a hardware-based firewall/router. We don't have a wireless network that someone could have hacked.I went through each system running full system hard-drive scans using AVG Free. Then I went through them and did full-drive scans using a series (four) of my favorite anti-malware scanners. I did rootkit scans. All came back clean. I ran a tool that monitored all my network connections looking for any unexpected findings. All were normal. I finally checked all my autorun entries as well as the running system processes. Nothing out of the ordinary.

So after a lot of work, I was left with two possible conclusions...one of my systems was so compromised that I couldn't even find evidence...and maybe should do complete reformats of every one...or Comcast made a mistake.

Re-View

The automated email that I got from Comcast's abuse-garee wasn't very helpful on the surface. It did appear to be focused on virus propagation activity. As far as I could technically tell I had ruled out that being the case...unless it was an as-yet-unknown variety. Certainly possible.To the best of my knowledge Comcast's cable modems use dynamic IP addresses, so it might be possible that my IP address had been updated recently and now I was assigned one from a previous user that had been infected, and thusly, tag-I'm-it.

Comcast's email was clearly a canned response likely geared to average (non-technical) users.It did not contain any time/date event log information.

It did not contain any information about the file or attachment that was being propagated.I have never received one previously from Comcast, so it didn't seem like the problem (if accurate) had been occurring until just very recently.

It didn't contain information as to the destination(s) of the propagation techniques.Any one of those elements might have been helpful to me.

Just about the only clue I had to go on, was that this "event" appeared to have been reported to Comcast by an outside party...but again, no name or clues for follow-up.

Lavie's Lead

So today, while I was recovering at home from a stomach-bug and Lavie was nursing me to health, she mentioned she was having a problem with her laptop.Turns out she had forwarded several email the other day to me (at work) as well as to her Gmail account from our desktop pc.

Her laptop has Thunderbird configured to pull mail from her Gmail account but although I got them at work, she never got them through her Gmail account and back to her Thunderbird client.I asked her if she had logged in to Gmail, not via Thunderbird client, but directly into the web page. She said she hadn't as she forgot her password and it never made it into our KeePass Password Safe keeper application.

I went to her laptop and pulled Thunderbird up and went into something like Tools --> Options --> Security --> View Saved Passwords. Then in the Password Manager, clicked "Show Passwords."With that information in hand, I logged into Lavie's Gmail account on the web.

None of her emails were in the main window, so I checked under "Spam" and.....There they all were.

We tagged them as "Not Spam" and then sent an email back to our comcast.net account to ensure that email address was in the Gmail contacts and wouldn't be tagged again.

What do you think?

Do you think that Gmail's spam-filtering machine send an automated spam-abuse alert back to Comcast? That would have contained our IP address in the sender's field, and since Lavie forwarded multiple emails at about the same time, it surely could have triggered a "spam-bot" tripwire in Gmail.

The emails were all sent shortly before we got the Comcast warning email. So that fits as well.I also sent one from our desktop account to my own Gmail address and somehow it also ended up in my own Gmail spam folder. Interesting. I had sent emails this way before, but I went ahead and sent one back to ensure it was also in my own Gmail contact list.

Per Comcast's abuse-garee request, I did reply to the original email I got confirming its receipt, as well as outlining my issues with the lack of detail they provided, assurances that my systems appeared clean, requesting more information on the reported event, and my findings above that I suspected triggered the alert in the first place.I'll let you know if I hear anything back.

Which then led me to this...

Bonus: Which SMTP port do you want me to use, Comcast?

Of interest, we are using port 25 for our Outgoing email server setting to send desktop account email to Comcast. Is and has been working just fine.I got that value when we transitioned over from TimeWarner Roadrunner's settings using the following guides from Comcast.

How do I setup Thunderbird for E-mail? - Comcast FAQ's

How to verify Thunderbird settings - Comcast FAQ's. Note in this one, the last screen-shot clearly shows the outgoing mail server stmp server port set as "25"

However, based on this post I mentioned, it seems that Comcast really wants Thunderbird users to use port 587 instead.How to configure Thunderbird to use port 587 for sending e-mail - Comcast FAQ's

This MozillaZine article has a bit more info: Creating accounts in Thunderbird for popular email providers ...

Comcast documents two SMTP configurations, a unsecure connection using port 25 and a secure connection using "TLS if available" and port 587. If you get a error message that the SMTP server may be unavailable or refusing SMTP connections there is a undocumented configuration that several users have gotten to work. Use port 465 , set "use secure connection" to SSL, check the authentication required box and provide your full Comcast address as the username.

I haven't changed it yet, but might just do so if I hear back from Comcast. Funny they didn't specifically ask me to do so...

Looks like a few other Comcast folk have tripped over this:

Comcast Blocking Port 25? ~ usrbingeek’s musings

port 587 - CNET Mac software ForumsPort Of Call And Other Outlook Adventures ~ IT Professionals

"Does my ISP block port 25?" - DreamHost Knowledge Base

With resepct to Mr. Ollivander, "Curious...very curious..."

--Claus

Update..Lavie forwarded another few to her Gmail account and we got a fresh warning message from Comcast. These didn't end up in her Gmail spam pile. I'm thinking Comcast itself is scanning the messages (content/header/subject...who knows) and giving the alert message. I'm going to swap over to the other port this weekend and see what happens.

1 comment:

Anonymous said...

sounds like you should leave comcast ;)