Jump to content
Sign in to follow this  
paul101

Can't parse Comcast spam

Recommended Posts

Greetings and happy new year.

Hope this is the correct place to post this; searched the forums for "comcast" and couldn't find any directly related threads. I've taken over reporting duties for my employer and I'm still learning my way around.

We currently get 'net connectivity through a Comcast account (although we're actively looking for another provider, since Comcast is consistently listed in Spamhaus.org "The 10 Worst spam Service ISPs" list - usually in the top 5, actually).

Lately, we've seen a big increase in spam relayed through Comcast's network, most of it peddling pharmaceuticals. The spam invariably contains a link to various suspect sites (we never click the links, but it's always one of those typical "click here" inline text links). The spam comes from different forged addresses (or maybe highjacked machines) so building a filtering rule for it is difficult. This spam slips right through Comcast filters and our local mail software filters to arrive in the inbox of our main Comcast account address. We never use that address for regular correspondence, so all mail arriving there is usually spam.

When we attempt to report it through Spamcop, the parser displays a message that says, "No source IP address found, cannot proceed." This happens when we simply forward the full header and spam to the address Spamcop provides us via our Spamcop account -- and also when we open the full headers and manually paste everything into the Spamcop web reporting form. The vast majority of our spam reports work fine... just these blasted Comcast spams return that result.

Anyone know a workaround? Any tips for reporting this sort of Comcast spam? Forwarding the spam directly to 'abuse at comcast.net' results in an annoying auto-ack that basically says "we didn't do it and won't take any action." Often, there's no response from Comcast at all. Calls to Comcast "customer care" only result in confusing and conflicting advice, but nothing remotely actionable. One support rep hinted that Comcast uses Brightmail filters and simply can't (read: won't) keep up with the deluge.

Although I can't give you a Spamcop report link (since there's no report to reference), I'd be happy to paste a few sample headers here if that would help diagnose what's going on. Let me know if I can supply anything else that might be useful. Thanks in advance for any time and trouble.

Paul

Share this post


Link to post
Share on other sites

The URL in the Address box in your Web Browser while trying to parse one of those spam email messages should be the Tracking URL to post (normalizing mailsc or members to www). If you can't find that, please make sure that display of your Address Toolbar is enabled. Alternatively, a few sample headers would be helpful.

Edited by Jeff G.

Share this post


Link to post
Share on other sites

Thanks, Jeff.

Sorry sorry to be dense; I'm not clear on which URL you're asking for. However, here are two sample headers from today -- exactly as they appear when I open full headers. I don't know if this will help, but please note that the "To:" field is addressed to an address we never heard of. Comcast previously said the spammer(s) is/are exploiting the "Cc:" or "Bcc" fields somehow.

Sample header 1:

Received: from dsl-KK-034.59.101.203.touchtelindia.net ([203.101.59.34](misconfigured sender))

by rwcrmxc14.comcast.net (rwcrmxc14) with SMTP

id <20060101204511r14002r3mfe>; Sun, 1 Jan 2006 20:48:47 +0000

X-Originating-IP: [203.101.59.34]

Message-Id: <4006203969.86138225331[at]boraxpaper.com>

From: "Clay Ruffin" <plfrpofcjgdb[at]path1.net>

To: "Shml1912" <plfrpofcjgdb[at]path1.net>

Subject: impost flotilla

Date: Sun, 01 Jan 2006 15:45:06 -0500

MIME-Version: 1.0

Content-Type: text/html;

charset="us-ascii"

[contains a sales pitch for drugs with a link to nolonfeel.com/?a=447]

Sample header 2:

Received: from dyndsl-080-228-183-144.ewe-ip-backbone.de ([80.228.183.144])

by rwcrmxc21.comcast.net (rwcrmxc21) with SMTP

id <20060101215950r2100et1lke>; Sun, 1 Jan 2006 22:00:56 +0000

X-Originating-IP: [80.228.183.144]

Message-Id: <7566343718.35394168922[at]halldesign.com>

From: "Tara Singh" <hntmsoqkfycn[at]canadianalodging.com>

To: "Bglam" <hntmsoqkfycn[at]canadianalodging.com>

Subject: peale dada

Date: Sun, 01 Jan 2006 16:57:49 -0500

MIME-Version: 1.0

Content-Type: text/html;

charset="us-ascii"

[contains a sales pitch for drugs with a link to lihurtinors.com/?a=447]

Edited by paul101

Share this post


Link to post
Share on other sites

The result of the first using Tracking URL http://www.spamcop.net/sc?id=z850545236z0f...21304c93f09d95z is:

Report spam to:

Re: 203.101.59.34 (Administrator of network where email originates)

  To: postmaster[at]bharti.com (Notes)

  To: techsupport[at]bharti.com (Notes)

Re: 203.101.59.34 (Third party interested in email source)

  To: Cyveillance spam collection (Notes)

Re: http://nolonfeel.com/?a=447]http://nolonfeel.co... (Administrator of network hosting website referenced in spam)

  To: abuse[at]elim.net (Notes)

The result of the second using Tracking URL http://www.spamcop.net/sc?id=z850546042z31...4492cdc48c416cz is:
Report spam to:

Re: 80.228.183.144 (Administrator of network where email originates)

  To: abuse[at]ewetel.de (Notes)

Re: 80.228.183.144 (Third party interested in email source)

  To: Cyveillance spam collection (Notes)

Re: http://lihurtinors.com/?a=447]http://lihurtinor... (Administrator of network hosting website referenced in spam)

  To: abuse[at]elim.net (Notes)

Based on the CBL listings, both sources appear to be open proxies.

Share this post


Link to post
Share on other sites
The result of the first using Tracking URL http://www.spamcop.net/sc?id=z850545236z0f...21304c93f09d95z is:The result of the second using Tracking URL http://www.spamcop.net/sc?id=z850546042z31...4492cdc48c416cz is:Based on the CBL listings, both sources appear to be open proxies.

38748[/snapback]

Good job, Jeff... and I'm starting to understand how the Tracking URL thingie works. I just tried parsing another sample from today - http://www.spamcop.net/sc?id=z850549681z0b...2214252775a387z

That returned the same "cannot proceed" message, so I didn't know how to file the report. I wonder if it's a Safari (Mac OSX browser) issue? I need to go have a life for a while (bet you know how that works - grin), but I'll check back here later. I'll try Firefox, too.

Thanks again and here's to a spam-free '06. (well, we can dream, right?)

Paul

Share this post


Link to post
Share on other sites

It's a Mailhosts issue:

Parsing header:

0: Received: from cp868961-a.tilbu1.nb.home.nl ([84.24.176.96]) by rwcrmxc20.comcast.net (rwcrmxc20) with SMTP id <20060101195112r2000ao0m2e>; Sun, 1 Jan 2006 19:52:19 +0000

Hostname verified: cp868961-a.tilbu1.nb.home.nl

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

Please configure the Mailhosts for the Reporting Account you are using to include that Comcast Mail Server. Thanks!

P.S. I moved this Topic from the SpamCop Reporting Help Forum.

Edited by Jeff G.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×