Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?

Host your email somewhere else

[dheltzel]

I gave up trying to do this on Comcast and now host my email at Zoho. It's free for the few accounts I need. I now it may not work for everyone, but I got weary fighting those battles.

SmartHost Setting

Set Comcast's mail server as your outgoing smart relay in your MTA's config. The other mail systems will accept your mail if it comes through Comcast's server.

Same issue... just relayed all outgoing mail

[mlts]

I have had the same problem, and this is regardless of providers. Lists of dynamic IP ranges (be it cable, DSL, or other providers) wind up on DUL (dial-up lists), and those are often part of blackhole lists. Since most botnet clients are from DUL-based IPs, E-mail providers just block those as a matter of course.

What I did was have my private E-mail server use the SMTP server of my ISP for relaying. Problem fixed. However, if you don't have a SMTP server available that allows for different domains, there are commercial services which can relay your outgoing E-mail, which provides "legitimacy" to your messages.

The exception were direct Exchange connectors. Those were established from Exchange server to Exchange server, so mail would go directly via a secure pipe, and not be relayed.

Re:Same issue... just relayed all outgoing mail

[fgodfrey]

You can't use that on a Comcast Business account (or at least my Comcast Business account couldn't). After 4 phone calls, they finally confirmed that their mail server won't send mail for anyone else's domain. Ie, if you own example.com, Comcast's server won't relay mail for foo@example.com only for foo@comcast.net.

Now.... My information is about 7 months old so maybe they changed this without telling anyone? If your information is newer I should probably revisit my mail configuration.

Meantime, I just tried from my domain (email server sends directly from a Comcast Business IP) and had no problems sending to Yahoo Mail so they aren't blocking *ALL* Comcast Business IP's. I also have (hopefully) correct reverse DNS on my email server and SPF records in my DNS.

Re:Same issue... just relayed all outgoing mail

[drakaan]

Bear in mind that doing so gives Comcast a copy of every email you send, of course.

Re:Call Comcast?

[DigiShaman]

www.mxtoolbox.com is your friend. Run SMTP tests, and check your static IP against a huge list of known black lists.

I ran into a similar issue with one of my clients behind an rural business-class DSL connection. They were only black listed from SORBS because their netblock range was dynamic (DUHL). Technically, this was true because their "static IP" was really a sticky IP via DHCP with an indefinite lease. But SORBS doesn't give a shit. You're on the DUHL, you're fucked. Only their ISP can talk to SORBS, not the end-user as I understand it. In the end, the client had to subscribe to a Smart Host to get around this.

With regards to SORBS; admins don't let admins reference SORBS. Fuck them, and their shitty pompous policies!

Testing and config verification

[Xanthvar]

I am probably going to repeat things that you already know, but lets start at the basics.

1. Do you have a PTR/reverse DNS record set up? This has to be done by your ISP, and is not something that you generally do on your own. You generally want it to match the host name for your mail server, but it doesn't have to be a match (but it does look better). Be sure to have an A record for that hostname as well.

2. Are your MX records pointing to hostnames and not an IP address? Again, you probably are, but we are covering basics here.

3. Have you checked to see if you are on any blacklists? mxtoolbox.com and dnsstuff.com have some very good tools for checking these things. If you are on one, they often have pretty good instructions on how/why you are listed and what you need to do to get off of it.
FYI backscatterererererererererer is generally a pain to deal with, good luck if you have to deal with them, you will need it.

4. Are you(or any other users) forwarding any email to external mail services? We (unfortunately) have several of our clients who are forwarding email from their custom domain name to a yahoo/hotmail/aol (yes, it still exists) email account. The problem with this, is that when they get spam (that they signed up for, like newsletters and bargain alerts), and they forwards to their external account, it looks like our mail server is the one sending the spam, so we get the black mark.

5. This is the tough one.. are you absolutely sure you are not sending spam? You may need to go so far as to slap a sniffer on your network and see if you are sending out any other email. You may be infected with a virus, or you have an account with compromised credentials that are sending out email.

6. Are you running SSL/TLS (even though SSL 3 and TLS 1.0 are now dead) with a real (non self signed SSL cert) on your server? SSL certs can be gotten very cheap, $10 year, or possibly even cheaper. They are a minor pain to set up as they need intermediary certs set up, but helps to define that you are a legitimate email sender, rather than a PC with a virus.

You may be all of these steps, especially if you have been running your own mail sever for 15 years, but I posted these suggestions in the hopes that it may jar something loose.

Good Luck

Re:Testing and config verification

[hawkbug]

You guys crack me up. To answer the questions:

1) Absolutely. The first thing I did when I moved to this net block on comcast is have them create my associated pointer records, so reverse DNS is correct.

2) Yes, MX records are correct.

3) I've checked every blacklist using sites like mentioned above. My IP does not exist on a single one.

4) No forwarding.

5) Yes, I monitor my network traffic in various ways - and no, I am not sending spam. If I was, it would be a matter of hours before I would show up on an RBL anyway, which I'm not on.

6) Absolutely. I have paid for a cert that matches my domain. It's not self signed.

I think some others have brought up some things that I'm not doing:

1) DKIM. I've read about this, but I didn't realize a lot of people were using it yet. Sounds like they are and that I'm behind the curve here.

2) DMARC. Same here. I've read about it, but not using it yet.

I'm also using SPF.

Re:First step is to collect data.

[hawkbug]

Thanks for the reply, I appreciate it. To answer your questions:

1) Yes, I have a domain. The reverse DNS is correct and I have SPF records for the domain. Also, I'm not running an open relay and my mail server and IP address are not on any RBLs.

2) Each mail service I listed above provides different results. First, Google doesn't send me an email back notifying of an issue. They simply dump the email into the spam folder of whomever I email. Yahoo spits out several messages:

Deferred: 421 4.7.1 [TS03] All messages from XXX.XXX.XXX.XXX will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/42...

Deferred: 421 4.7.0 [TS01] Messages from XXX.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/42...

Hotmail spits back this message:

Deferred: 421 RP-001 (BAY004-MC5F24) Unfortunately, some messages from XXX.XXX.XXX.XXX weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/trou....

Re:Call Comcast?

[arth1]

Unfortunately this is not the case. I tracked it down. The anti spam service blocks all cable company ip address blocks by default.

No, they don't. I send e-mail just fine through a cable company IP address. You have to make sure you're not on a residential IP block, and that you request removals from lists like Spamhaus PBL.

Re:First step is to collect data.

[khasim]

So, in other words, both of these messages are crap and not accurate.

They are similar messages from two different services. It is very unlikely that they are both claiming the same problem ... incorrectly.

You've had those IP addresses for 2 years without problems so it probably is not a pre-existing issue with the IP addresses.

Do you have a firewall that you can configure to monitor outbound port 25 attempts from your network? Or do you know how to use a sniffer such as Wireshark to do so?

Or can you move your email server to one of the other IP addresses you have? And see if it is still blocked?

Right now it is looking like the problem is on your network. Not Comcast and not GMAIL or YAHOO or HOTMAIL. I might be wrong. But if it were me, I'd test my network first. Otherwise, even if you do get through to YAHOO or HOTMAIL they'll look at the logs and say the same thing.

Re:First step is to collect data.

[khasim]

The traffic coming from my server is so ridiculously small, that I was shocked to begin getting messages like these from those email providers.

Not your server.

Your network.

Monitor the traffic going into or out-of your cable modem to see what is happening on outbound port 25 for that IP address. Do this for 24 hours.

Move your mail server to a different IP address if that is possible. You have 5 addresses, right?

The rejection messages are saying that YAHOO and HOTMAIL are seeing too many messages from your specific IP address.

GMAIL is accepting the messages but flagging them as spam.

It is extremely unlikely that three competing services are all using the same SMTP-blacklist (that they refuse to identify) to reject messages.

Re:Call Comcast?

[rahvin112]

I'm using Comcast Business with 5 static IPs like yourself, I also run my own email services like you. I just sent an email to my gmail account from my domain and it was passed through cleanly, not spam filtered.

Your IP is likely blacklisted somewhere, that you are flagged in multiple providers says you're on a list somewhere whether that's an RBL (there are literally hundreds of RBLs) or one of the others or you have a configuration issue that is triggering the flag. What have you changed recently or applied security updates to? I had an update at one point that toggled a configuration overwrite and took ages to find because I didn't think the configuration had changed.

Re:Thank Comcast!

[Technician]

The main reason peers block Comcast by deafult is the number of vunerable XP machines that get hijacked to send spam. Dropping mail from home users has almost no false positives. Mail if permitted by peers would increase the number of botnet attempts to send bulk spam. The fact the mail is blocked makes compromised Comcast user's machines much less valuable.

Even home configured business accounts on static IP addresses do not have a super good IT department to prevent compromised machines becoming part of a spam botnet, which is a good reason to not accept mail from home IP blocks.