Slashdot Mirror
Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?
New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?
It's a business account, you should have a business support line.
It doesn't mean much now, it's built for the future.
I'm not hosted by them either. They reject silently all emails from my qmail based servers and don't even tell me WHY they've been rejected either.
UPS Sucks
I gave up trying to do this on Comcast and now host my email at Zoho. It's free for the few accounts I need. I now it may not work for everyone, but I got weary fighting those battles.
get a cheap Linux VPS to run as a smart host
I hate to say it but your best bet it just to proxy over an encrypted channel to a machine inside a friendly hosting environment.
Go buy a VPS that allows sending outbound mail (check up front) and then configure your server to route through the VPS first.
Tada: you are no longer appearing to come from Comcast, yet you still have the contract and everything set up.
call Comcast, it sounds like it's a "their problem" problem.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
When the entire RoadRunner residential IP spaces were blocked, I just got a virtual server (now a Linode) and simply run that as my MX. Helps on inbound mail as well for any times my home connection goes down.. it'll queue up there. I use trusted certs for relaying from home and send mail via authenticated SMTP (TLS required) for mobile devices, via the same virtual host avoiding issues with connectivity to home (which was rare, but now I don't have to worry). I also have the connections between the VM and home box use a port other than 25 to avoid any blocking of port 25 by my ISP (which, for San Diego at least, hasn't happened in years).
It comes down to $20 a month for the size of vm I got (I also started using it for a few other things too). I also do my greylisting and other anti-spam measure there before it even tries to deliver to my server at home.
- My favorite error message: xscreensaver, running on an old Sparc 5 w/ 8bit color: bsod: Couldn't allocate color Blue
Talk to Bennet Hasselton. He's fought the same issue.
I'm guessing that even though you have static IPs Comcast has tagged the /24 (or higher) as DHCP. Most providers are now blocking consumer/business DHCP IP classes.
It's better to burn out than to fade away
All the "Virtual Private Server" VPS suggestions seem to be AC so may not make the viewing cut. I'd recommend taking a look at:
http://lowendbox.com/
should be able to find something cost effective that will resolve your issue.
Set Comcast's mail server as your outgoing smart relay in your MTA's config. The other mail systems will accept your mail if it comes through Comcast's server.
Use Mandrill as a mail relay.
No, it doesn't sound like that if you actually read their post.
With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder.
Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc.
Reading comprehension FTW.
My mail server is set to reject anything without a FQDN (a fully qualified domain name). Do you have one of those?
You've set up SPF, but have you set up DKIM? If not, do so. DMARC too while you're at it.
I got mine setup through what is now Google Apps for Business while the bottom tier was still free. Their current cheapest pricing isn't bad if you don't have a lot of email addresses for what you're getting.
I fought this battle for years. Eventually I wouldn't even get reject messages - the servers would accept the incoming email and then just silently drop it. Looking back I wonder now how many business opportunities I missed, friends I lost, job interviews I didn't get, dates I didn't get, etc.
Drink the cool-aid and use Gmail/Yahoo/whatever. Or Facebook. Most people don't even read their email anymore.
I read the first half. Got distracted. Went back to read the second half after posting. Blah.
-On Your Mom Like White On Rice
Check your static IP address for both forward and reverse DNS.
Hard to belive nobody posted this yet.
Get another email account externally, and configure your email server to send all your outgoing email via that account (using POP3/SMTP authentication). Comcast might already provide an email account/server you can use like that...
Try having your mail server send all mail to the comcast mail server for delivery instead of trying to send it directly. That's what you usually have to do if they block the port, may try it without the block anyway.
Trusting software vendors is no smarter than trus
I too am a Comcast victim, business class, and I have a mail server on their static IPs. This has been the case for years and while I have seen occasional blocking during inter-company spats, nothing blaket like you are seeing. It could just be the range you are on or it could be something else. What I am trying to say is that it is not those big three blanket blocking Comcast IPs.
I would see if Comcast can give you another set of statics in another range. That may help.
-Charlie
I moved from Comcast to FIOS because of this. Fortunately, I live in the small fraction of the country with two high-speed Internet service providers.
In the interim, you need an SMTP relay. You can set one up on a commercial virtual machine host, contract for one from the many providers out there, or just use Amazon Simple Email Service (aws.amazon.com/ses/). Your server can make a secure, authenticated connection to the relay and pump your mail out. The relay does the same thing, only without the stigma of a Comcast IP.
Viva net neutrality, where providers like GMail can't persecrte traffic just because of the source! Oops, not this Internet.
Stop trying to "fix" comcast. You can't. Find a provider that will act as a relay, which may even be Comcast. Then setup your mail server to relay the mail through that provider.
You can fix this problem in less than half a day.
Check here:
http://www.spamhaus.org/pbl/
I've operated my own mail server on a VPS for years. Rackspace voluntarily lists their IP spaces to prevent spammers from just buying a vps for a few hrs, sending out spam and then trashing it. Occasionally I need to remove my IP from the blacklist.
Why aren't you encrypting your e-mail?
I have had the same problem, and this is regardless of providers. Lists of dynamic IP ranges (be it cable, DSL, or other providers) wind up on DUL (dial-up lists), and those are often part of blackhole lists. Since most botnet clients are from DUL-based IPs, E-mail providers just block those as a matter of course.
What I did was have my private E-mail server use the SMTP server of my ISP for relaying. Problem fixed. However, if you don't have a SMTP server available that allows for different domains, there are commercial services which can relay your outgoing E-mail, which provides "legitimacy" to your messages.
The exception were direct Exchange connectors. Those were established from Exchange server to Exchange server, so mail would go directly via a secure pipe, and not be relayed.
Are you serious? Google are great if you just want a few mailboxes, but they are not even *close* to a replacement for flexible mail aliases, transports, procmail and data privacy.
I did the same thing described by the OP for many years. Suffered through hardware failures and soradic ISP service interruptions that caused me MANY hours of unnecessary work and lost productivity. I also shouldered the expense of electricity, noise, and replacing hard drives.
Then the price of virtual private servers became so cheap, I couldn't rationally keep hosting stuff out of my house.
Check my sig. Five bucks a month for a 512mb linux server with 150gb of storage and 2TB of bandwidth a month. You're root on your own box and don't have to deal with all the crap mentioned above.
$5 / month hosted VPS on linux = awesome!
I would get a VPS somewhere (e.g. linode) and install OpenVPN on it. Then VPN between there and your local machine, set up your incoming and outgoing connections to route through there, and update your DNS to point to the VPS. Net effect: you're still on Comcast, but the world sees you as being in some datacenter.
"Believe me!" -- Donald Trump
"When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option"
Moving is always an option. But you have to eat the cost of one year of Comcast. Sorry, but that's your solution.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
http://ipremoval.sms.symantec.... Turns out there is something in addition to the standard lists I was familiar with, these 'nice guys' of brightmail acquired by symantec) are used by hotmail. If you email hotmail, they will send it to symantec on your behalf thats it, they will email you canned answers telling you to do the same things over and over again, they never bother to read the history of the ticket etc as for contacting symantec, not even a canned answer may be you will get a better answer if thats the source of your problems
I know it isn't the answer you're looking for, but i would suggest to move the mail server to Linode or similar.
I have have been through a similar story, trying to avoid being blocked as spam. If you fix this problem, new ones will appear again and again. It just isn't worth the fight IMO.
Moving to the cloud won't solve all your problems, but it will be easier.
In 2000 I used to do what you're doing... I ran a static IP block on my home ADSL line which was only under 1Mbps. Ever since Google Apps, I switched and have been happy since.
I imagine working with the listed providers is almost zero results because you wouldn't know where to begin and even if you got to speak to their right person, it would still change nothing.
If the blocks occur all at the same time, I do agree that your IP was obtained from the same source... if you can find that source... you can reason with them... working with the big corps won't be a good idea.
I'm in the same boat and I've found that just sending all of my domain's email through Comcast's servers works well enough. I hate doing this on principle, but it has saved me so much hassle that it's not worth fighting.
Depending on your MTA, the configuration will be different, but the arrangement is generally referred to a using a Smart Host. Basically, your MTA directly connects to the ISP's SMTP server and sends the mail from there. Comcast requires authentication to use their servers, but they don't do anything funky to the mail they pass on. All of the headers remain intact except for the DKIM-Signature, which is replaced(?) when Comcast signs the message. I've never had a bounced message that I rerouted through their servers and they support TLS and IPv6, so it's not the worst setup.
I'm sure that if you share your MTA details, someone can help you with the configuration.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
So I take it you are not in favor of net neutrality?
Ok with things costing more simply because corporations fear no consequences for their actions?
Prove anything by multiplying Huge Number times Tiny Number
Trust me, this only happens when you actually are sending out spam. I would strongly suggest that you checked your server for malicious files on it (maybe if you are hosting a joomla/drupal/wordpress site on it, it might be hacked already and using the server to send out spam). Also, keep in mind that if you send out spam, it will still have valid SPF records, so, SPF doesn't help you enough at this. So check your access_log for POST requests, check your maillog for outgoing emails, and/or block outgoing connections to port 25 unless the uid is root or the mail account so that hacked files running as different users, can't bypass the local mta. Also try to register with some feedback loops (hotmail and yahoo have their own, google does not believe in feedback loops :P) so that you can see the emails reported as spam that were sent out from your mailserver.
Also keep in mind that yahoo wants your emails to be signed with DKIM.
I am probably going to repeat things that you already know, but lets start at the basics.
1. Do you have a PTR/reverse DNS record set up? This has to be done by your ISP, and is not something that you generally do on your own. You generally want it to match the host name for your mail server, but it doesn't have to be a match (but it does look better). Be sure to have an A record for that hostname as well.
2. Are your MX records pointing to hostnames and not an IP address? Again, you probably are, but we are covering basics here.
3. Have you checked to see if you are on any blacklists? mxtoolbox.com and dnsstuff.com have some very good tools for checking these things. If you are on one, they often have pretty good instructions on how/why you are listed and what you need to do to get off of it.
FYI backscatterererererererererer is generally a pain to deal with, good luck if you have to deal with them, you will need it.
4. Are you(or any other users) forwarding any email to external mail services? We (unfortunately) have several of our clients who are forwarding email from their custom domain name to a yahoo/hotmail/aol (yes, it still exists) email account. The problem with this, is that when they get spam (that they signed up for, like newsletters and bargain alerts), and they forwards to their external account, it looks like our mail server is the one sending the spam, so we get the black mark.
5. This is the tough one.. are you absolutely sure you are not sending spam? You may need to go so far as to slap a sniffer on your network and see if you are sending out any other email. You may be infected with a virus, or you have an account with compromised credentials that are sending out email.
6. Are you running SSL/TLS (even though SSL 3 and TLS 1.0 are now dead) with a real (non self signed SSL cert) on your server? SSL certs can be gotten very cheap, $10 year, or possibly even cheaper. They are a minor pain to set up as they need intermediary certs set up, but helps to define that you are a legitimate email sender, rather than a PC with a virus.
You may be all of these steps, especially if you have been running your own mail sever for 15 years, but I posted these suggestions in the hopes that it may jar something loose.
Good Luck
When your server is running on a comcast owned ip block, and the block is used to assign dynamic ips, then your IP is -to everybody else in the internet- dynamic. Even if comcast is giving those dynamic ips statically to you.
Those 3 big name companies and almost every sysadmin who is tired of spam has been blocking dynamic ip ranges for years.
You don't need slashdot for this, you can figure out the problem and the solution just searching google in 5 minutes: rent a dedicated server
If possible, I'd definitely host E-mail myself if I were running something bigger than a SOHO where hosted Exchange is my best bet.
First, I keep physical control of my Exchange mailboxes. Mail might be intercepted, but internal users that send and receive at the same domain are not going to be at the mercy of some nosy (or hacked) provider.
Second, I know how redundant and secure my E-mail system is. Ideally, I have an edge instance of Exchange for incoming stuff, which gets scanned and then passed to the an instance that runs as a hub. Then, I have another edge Exchange instance for outgoing E-mail, and yet another edge instance for ActiveSync and OWA. This isn't 100%, but it will at least give an intruder a fun time in getting to the juicy stuff, and the actual mailboxe servers are nestled well away from the outside world via firewalling.
Third, it doesn't take much to use a "legit" relay provider. I personally use Rackspace's Mailgun (although similar offerings are just as good or better.)
Of course, the downside is the infrastructure. Four copies of Exchange, Active Directory, a good firewall that supports DMZs, and the utilities it takes to back up mailboxes. However, this makes eDiscovery and other regulation compliance quite easy to deal with.
This is a tough choice. A cloud provider is better than services poorly run, but the best of all is a well run enterprise with company servers so the data has good physical control.
Your IP is likely listed on a Blacklist. My company firewall checks a half-dozen or so blacklists and automatically compares them to all incoming email. You need to find out which blacklist is listing your server public IP and contact the blacklist service directly. They can, after some verification process, remove you from the list. I just had this problem with emails coming from a vendor...turns out their IP(s) were blacklisted by one of my blacklist providers. It was mistaken, but it happened nonetheless. My vendor had to get themselves unlisted. I also removed that blacklist provider from my settings.
The correct answer is 42.
I used gmail as my smarthost when I had Verizon FiOS
Something like:
https://alimanfoo.wordpress.co...
(generate a dedicated gmail password for this instead of using your "main" one)
My Domain Registrar provides SMTP relaying (TLS & authentication required), so I can configure my MTA to use that as its "smarthost" to get around this particular problem.
----
Not to be confused with Col.
He's having problems with 3 services.
1. GMAIL - messages accepted but marked as spam.
2. YAHOO - messages rejected (what do the logs say?)
3. HOTMAIL - messages rejected (what do the logs say?)
So the first step is to look at the logs and see if the rejection message has any information in it. Do the rejection messages at YAHOO and HOTMAIL have the same code?
The next step is to check with a service like http://www.dnsgoodies.com/ to make sure that Comcast has configured their side correctly. The reverse DNS should point to your domain. You DO have a domain, right?
The more information you have before you contact Comcast, the better. Because the first 2 levels won't know anything about anything. They will be reading off of a script.
You have the option of using a smart host. You can read a brief description here: http://en.wikipedia.org/wiki/S... Some have a free tier, some don't. I've usually use a smarthost by default so that my smtp server's IP address is not directly associated with the message by default and instead I can opt to bypass the smarthost if the smarthost gets blocked for any reason. Here is one that I found but have never used: http://www.socketlabs.com/sign...
I recently went through this on our Comcast business to Verizon e-mail servers. I really wish I could tell you it was easy but I fought Comcast for 2 weeks with ridiculous support to finally get it resolved. You just have to keep pushing the issue with support because they will not believe that they are getting blocked. It was frustrating and they all pretty much tell you to call the other company. I just dug through my e-mails and these were on the chain involving the engineering team that was helping. God speed!
help4u@verizonbusiness.com
inengineering@core.verizon.com
Laura_Jorgenson@cable.comcast.com
domain.com. IN TXT "v=spf1 +a +mx +ip4:x.x.x.x +ipv6:x:x::x:x/128 -all"
mailer.domain.com. IN TXT "v=spf1 ip4:x.x.x.x a:mailer.domain.com ipv6:x:x::x:x/128 -all"
Being a spelling & grammar Nazi is a sign you do not poses the intelligence to contribute to the conversation
I really think you shouldn't have to use one of these, but it would solve your problem: Sendgrid, Mandril, or Amazon SES.
SPF records are not sufficient anymore. More spammers use them than legitimate sites. As others have suggested, check your PTR record. Since Comcast owns that, they may not have set it up for you, and sign all of your messages with DKIM. It works amazingly well for helping you bypass blockages. I know your pain, and I wish you the best of luck in beating poorly engineered antispam systems.
I agree with your comment about data privacy, but what do you mean by flexible mail aliases? I have about a dozen email aliases linked to each email address on Google Apps Premier/Business, they all seem to work just fine. The filtering and dot notation also seem to work well.
OK, I had a very similar setup with AT&T ADSL some years ago, and basically I had the same problem, most other SMTP hosts were bouncing my emails and/or flat refusing to even communicate with my server.
In my case, the solution was to relay all my email through my internet provider's SMTP, authenticating with my ADSL login. Once I handed off all my email to the upstream SMTP, things worked perfectly.
Most customer assigned IP's are pretty much blocked out from relaying any email these days. If I were in your position, I'd try to setup to relay to your upstream SMTP so you can relay mail effectively. Having your own SMTP talk to everyone else's SMTP for outbound just doesn't really work very well anymore. Contact Comcast and find out the details on setting up to relay to their SMTP.
Have you checked to see if you are sending unintended backscatter? You can get blacklisted by many hosts very fast if you are sending non-delivery reports (NDRs). In this day and age, you need to either reject the email while the connection is active (eg, user not found) or silently drop mail (eg spam that is filtered after the connection is ended). If you send NDRs after the email is acknowledged as received and ok, you are contributing to a significant backscatter problem.
Make this Comcast's problem, as if things are as you describe, it obviously is. DEMAND (politely, through your business support channels) that they resolve it, and demand a resolution deadline. If they do not meet it, terminate (or threaten to) the service.
In the mean time, I suggest you investigate VPN services which support static IPs on their end. Use comcast as your last mile connection if you must, but poke out on the Internet somewhere more friendly. If you have to do this, reduce your IPs from comcast to one, make it dynamic, citing their failure to provide the service contracted. Your VPN provider should handle the rest, and your comcast bill should go down.
Hope this helps.....
Red
Hello,
I am in a data center and I had email rejected by hotmail for no reasons (not on any rbl blacklist etc.). I solved it by masquerading outgoing mail for hotmail on another IP on a different subnet I own on my datacenter connection. I would try this first. You can also try to contact hotmail so they whitelist your IPs.
If your 5 IPs are on the same subnet and blacklisted by hotmail, I don't see any other solutions than routing your mail through an intermediate mail server. Have you tried relaying it through comcast MX? I can't imagine hotmail rejecting emails from all comcast subscribers.
Also, you probably have somebody sending spam on the same subnet as yours and hotmail seem to like to block /24 subnets. They should eventually unblock you if your subnet stop sending spam.
Everything I write is lies, read between the lines.
I subscribe to a service called Dyn Standard SMTP. My home email machine uses this as its smarthost, and all outgoing mail passes through Dyn's server before going out to the internet at large. Problem solved.
I'm sure other hosting companies will offer a similar service.
Before you say such things, you might want to look up the legal morass surrounging mail servers under your direct control and those not. Start with Megaupload and then follow links to the less public ones. There are DAMN good reason to keep your mail server on premises be it home or business, if you don't understand why you might want to educate yourself before giving advice.
-Charlie
At the company I work at, I run several large high volume mass mailing servers that send million of messages a month (50 million last month). Here is what I recommend you do:
1) Get forward and reverse DNS setup and most importantly, the forward and reverse DNS information must match.
2) Set up and use DKIM for all outbound traffic.
3) Have the SPF information in your DNS records. Don't put your block of IP's in SPF record, just the one IP that you use for sending email. Make sure there is a "-all" in the records so that it makes it clear that all other email claiming to be you is discarded by other server.
4) You will need to setup Feed Back Loops and proper SWIP (If possible) contact information. You will need to go to the big 10 ISP's and submit the FBL information to them and get put on their White Lists. Don't lie to them, just tell them your personal email server that is having issues sending mail to them and you want to get on their White List. FBL's are usually for people who send high volumes of mail, include Newsletters and some "spammy" mail, but I find it helps regular mail servers if you set up FBL information.
Linux O Muerte!
I know Yahoo and Bing use the same data for search. Stands to reason they'd share technical data and policies for other services too.
I can't believe I had to scroll this far down to find this comment. It's the first thing that popped into my head.
yvan eht nioj
A good read from the folks at mailchimp: http://mailchimp.com/resources... There are a couple sections that might be of use.
Had the same problem until I started signing my email with DKIM. Suddenly google and friends were accepting it without problems.
I am not on comcast, so it may not help you.
Get a new additional ISP connection just for email, or host somewhere.
You might be able to make the argument that Comcast is in breach of their service agreement with you. Firstly, and as painful as it will probably be, try to resolve the issue with their technical support. If you get sent into an endless loop without any kind of resolution, you might get out of your contract by simply making the argument that Comcast is failing to provide services as advertised.
Your kinda screwed. A lot of the big providers (and small) use blocklists garnered from a bunch of companies who may or may not be responsive - and more often than not simply dont care about the small guy... amongst those companies ive had the most grief with SORBS for my various clients. Some lists you can get off of, others are essentially impossible... amongst which are the "Dynamic IP" and "home user" lists.
When people set up which block lists to use, there are a couple that are not for specific offenders, but are instead simply full lists of all the known IPs in an ISP's block - such as all DSL / cable modem users. the thought being that you can block all email originating from peoples home connections, etc... which is under the presumption that legitimate emails will never come from cheap consumer grade connections which to be fair are largely spam. Problem is there are tons of small businesses with essentially "home" connections... even under business accounts they get lumped into the same IP ranges.
The real issue is that in the last few years - particularly since gmail came about... email itself has begun to concentrate in only a few major providers hands... namely intermedia, office365 and gmail. As less and less small/medium sized businesses have their own mail servers the big boys have less concern for keeping things more flexibly acceptable - very few outfits have their own exchange servers anymore, i dropped my last internally maintained client mail server a few years ago, even bigger companies dont want to run exchange in house anymore - its just not worth it in most situations that dont have regulatory or legal requirements. The less companies that run their own mail servers the greater the liklihood that legitimate mail will only come from the major providers (and the less likely wholesale blocking of IP's is going to cause the sales team to freak out when their clients arent getting emails - which is honestly the only way ive ever seen IT departments actually lower their filter strength - usually after being yelled at by the sales execs).
In order to deal with this problem we have found the best lasting solution is to use a store and forward relay service such as spamstopshere or setup your own via a micro instance in amazon. Postifx and Mailenable (windows) are two great programs that do the trick quite well. By setting up your own instance with a public IP which is more "trsuted" (comming from a major source of servers which have other large mail hosts running in the same IP block) you avoid all sorts of problems... you will have to do the normal MX, SPF and rDNS things as well for full compliance.
In general this is better anyways, as you probably also want an inbound store and forward for those outages you memntioned (no lost emails!), and youll get the probably unneeded benefit of masking your real world address (one of my clients got a detailed direct bomb threat from a guy who found their address using an IP lookup - their address was otherwise unlisted).
a micro instance on amazon is VERY cheap, and can be used for other things - like a simple website, a connection monitor etc..
good luck
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Hi there, I think you need my assistance in setting up a PTR. I work for Comcast's corporate customer service team. Could you please email me at Cassie_Hart@comcast.com so that we can assist? Thanks, Comcast Cassie
I had pretty much the same issue, only a different provider (TWC). I wound up just getting a $20/month Linode virtual server, and haven't had any issues since, and I don't have to host any physical hardware at my house.
640YB ought to be enough for anybody.
1. Check out Cloudmark (https://csi.cloudmark.com/en/reset/) - see if you are on their list.
2. Make sure that your website (yes, website) has not been hacked. If someone is sending out spam that contains a link to your website, then services may mark you as spam. I had a customer who's wordpress install was hacked, and the 404 page was set up as a redirect to a shady pharmacy site. Once the problem was identified and corrected, the blacklist problems went away.
Lets start refering to The War Against Terror by it's initials. . .
Yeah fuck that. I can host my own mail just fine, thanks. Google owns enough of the world.
If you don't care to 'win' the fight w/ comcast, then go get a budget ($1/month) VPS running CentOS like from somewhere cheap like Crissic or Ramnode and use it to route your outbound email. It'll cost you less in actual dollars than your time investment in fighting comcast to date at minimum wage or that you'll spend reading the comments on this 'ask me anything' I figure :)
Just an option!
You do realize the guy is sending out unencrypted email over comcast's pipes in plain text. If privacy was his priority in choosing a home hosting solution, then you might want to awake the OP from his delusion of security by telling him he'll never see the court order that enables reading of all his inbound and outbound email messages.
$5 / month hosted VPS on linux = awesome!
I did this a long time ago but gave up MANY years ago when I set up google docs/mail for my domain. I forget t he details, but I believe you can receive email to your MX and send it through comcast mail servers as a smart host of something. you'd be able to connect to them being on comcasts network; meanwhile they'll off and send your mail to world+dog and should be allowed since I highly doubt gmail, etc. are block email from Comcast mail servers themselves; probably just the masses of addresses reserved for clients. It might circumvent most of your problems while allowing you to still host your own mail. Good luck.
First I'd like to say, I'm bookmarking this set of responses. There's a lot of excellent information here. One of the most informative discussions on Slashdot in recent memory.
I suspect that there is so much animosity against Comcast that you may not ever get this resolved. The advice to "get another ISP" is indicated, but there may not be another viable solution in your neighborhood. (Which is what we as a country should *really* be addressing before we even talk about net neutrality.)
If you have Comcast, you probably have already switched your land line to cable. That's unfortunate, because it makes this solution more difficult to implement: Consider that email is very low traffic (I think you said it was only a few messages a month) and the bandwidth you're getting from Comcast isn't really helping. One solution would be to get a business DSL account with an alternate ISP and use that for email only. This would allow you to scale back Comcast to a consumer account, which might mitigate some of the cost of having two ISPs.
At one time I had Comcast cable modem and a static IP with Speakeasy DSL at the same time. I had to keep my copper wire phone service in order to do this. Comcast gave me high download speeds, Speakeasy gave me a circuit that I could basically do anything with. The DSL speed was what you'd expect for DSL, but that doesn't really matter for email.
Later I dropped Comcast because I got so tired of trying to deal with them, and I'd gouge out my eyeballs rather than go back to them, but that's another story. I went back to DSL only for awhile, and then picked up FIOS when it became available. Running both side by side, I didn't see any limitations to the FIOS circuit so with a tinge of sadness, let the Speakeasy account go. (And before a bunch of anonymous cowards jump on this, yes, I'm aware that some people have had bad experiences with FIOS. I haven't, really. The circuit has been dead nuts reliable. I went through four routers until I got one that worked correctly, but that's not necessarily the ISPs fault, and they were always quick to overnight a replacement when necessary.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
But my ISP provides an SMTP relay. I configured postfix to use my ISP relay. This doesn't really impact my mail service or how it's stored or how it may be addressed/migrated in the future, but it gets me past the common blackhole filtering.
SMTP has just not scaled well and the mitigations have impaired the openness of the network somewhat, but SMTP relay facilities are usually available.
XML is like violence. If it doesn't solve the problem, use more.
most of the big emails giants will block email that has a generic host name. even thow you have a domain name the host name will return what every the host name of the box comcast gave you. Have them set up a Reverse DNS entry and moslike problem solved
i setup email servers for clients all the time and its a big problem
Linux modi 2.6.26-2-parisc
Yes, I have proper reverse DNS and SPF records. So, I'm good to go there.
I found a while back that GMail started flagging e-mails from my server as spam, even for a business customer who had explicitly white-listed my server in their configuration. Setting up DKIM message signing cured that.
Yahoo on the other hand are complete fuck-wits when it comes to spam detection. I've tried in the past to follow up random spam flagging, and they just give you the runaround. I filled in a complicated form with full details of the erroneous spam flagging, and they responded with a request to send all the same information again to an e-mail address, and then when I did the notification bounced because the e-mail address didn't exist.
The only thing you can do with people who use Yahoo for e-mail is teach them how to look in their spam folders. When they do they'll find lots of other non-spam there too. That's the moment to suggest they move to a proper e-mail provider.
I'm the guy who asked the question, and spammer I am not. I hate spam more than most people since I run my own mail server, and have for years. Back before spamassassin, my email server was basically unusable, thanks to the fact my personal email address was associated with my whois record. I'm just a poor asshole who signed a 3 year contract with comcast, and 2 years in, my connection became unusable for relaying email.
Have you tried configuring your server to relay all outgoing mail through Comcast's own server(s)? You can declare it as "smarthost" (in sendmail-speak), or have custom rules (through "mailertable" — sendmail-speak again) for using Comcast's box only for those destinations, which would not talk to you directly... Either way, it may solve your problem and even make life a little easier for your box...
I've never used Comcast myself — they may have some idiots operating their mail-server (RCN and Verizon FiOS both do, why should Comcast be better?). But it may work...
In Soviet Washington the swamp drains you.
I've run SPF for years now, and I pass all the associated tests there. I have a valid PTR record that matches my domain. I do not currently use DKIM, but I guess that's my next attempt at fixing this. DMARC also sounds interesting, I have never heard of that before. I will gladly configure DKIM here and then look into DMARC. Thanks for the information.
First off, it's ridiculou to run your own Email server today. If you really insist, do it in a data center with a VPS and your own domain with proper DNS records including PTR.
Beyond that, it's common for big, low-cost/free email hosts to reject mail coming from dynamic IP pools used for consumer accounts. It has nothing to do with Comcast per se - they will block Comcast, Cox, ATT, whatever. It's an easy way to block a lot of undesirable sources at low cost. It saves them the support cost of dealing with complaints by reducing their spam volume significantly.
You are not going to get your IP unblocked. You will just waste your time trying to get dozens or hundreds of email hosts to unblock you. Maybe a few of them might.
If you look at your Comcast agreement you will almost certainly find that - like most consumer broadband - your intended use violates the TOS. This is not why your mail is being blocked, though. It's because others realize that there's no good reason to run a mail server in your home, and plenty of bad ones.
Wake up and realize it's not 1995.
Good luck!
There may be some way to actually clear up the whole situation, and that's probably going to be the best solution. It will probably also be free.
However, failing that, one solution comes to mind which is pretty obvious and very likely to solve your problem. Unfortunately, it's not free, but if you're running a business, it may be of benefit.
The suggestion is: get a smart-host. Essentially, it's a service where you route your email through an email provider first, and then they send it out. You can also set your MX records to direct incoming traffic to the smart-host, which can serve the purpose of a backup MX record (in case your server goes offline). Also, they'll often do spam filtering on their end, which means a lot of spam (and the associated traffic) never gets to your network. Sometimes they'll even offer email archiving, if you're interested in that.
Of course, if you're going to go with a smart host, it raises the question: does it make more sense to just go with a fully hosted solution? Office 365 and Google Apps are both pretty compelling solutions. I assume you're not interested in that, though, since you seem to want to keep your email onsite.
I had the same issue and it did take quite a bit of digging to nail down. Comcast Business with 5 static IPs, same setup as yours.
1. Make sure your reverse DNS entries are correctly configured such that the domain of your reverse DNS lookup will match the domain your messages are claiming to be from. dashed-ip.sea.wa.comcast.net will generate spam warnings on many mail servers if your server claims to be mail.joecorp.com. Call Support and they will update it for you on the phone within a couple of minutes. Also make sure you're not in a residential IP block.
2. Make sure you're not actually an open relay or otherwise allowing unauthenticated senders to generate outbound messages. I was using MailEnable, and had it misconfigured such that it wasn't actually doing the authentication I had selected. This got me blacklisted quickly. A few bounce messages had links to the blacklists themselves to submit appeals; they'd dutifully take me off each time but I'd get re-added automatically. It took a few weeks of trial and error to get this one fixed. I know you say you're not...and I thought I wasn't either, having specifically taken steps to disable open relaying. But it turns out I didn't quite get it the first time, and was still relaying messages without authentication.
I'd imagine issue (1) may be a big contributor to your problems, personally.
The don't give a Flying-F*** about your SPF if your DKIM is wrong or if you are using an @yahoo.com email address.
What they care about is that they've updated their DMARC record to reject @yahoo.com emails in the From: address if they aren't sent by yahoo.com servers.
You should have googled this.
https://help.yahoo.com/kb/mail...
You don't have to "use Comcast's mail service" - they just want to use Comcast as a way of providing some accountability as to where the email is coming from - as a way of limiting spam.
Chances are you're in a DUL/dynamic list on SORBS or another service. What you need to do is work your way up past the first level grunt at Comcrap and speak to an actual engineer, and they need to submit updated lists of dynamic vs. static IP lists to the various blacklists and also key email providers (gmail, yahoo, notHotmail, etc.) and other providers (time warner, etc.) so that they acknowledge your block as a static block of IPs.
What happened is some grunt at Comcast probably fat-fingered when updating these lists.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
The main reason peers block Comcast by deafult is the number of vunerable XP machines that get hijacked to send spam. Dropping mail from home users has almost no false positives. Mail if permitted by peers would increase the number of botnet attempts to send bulk spam. The fact the mail is blocked makes compromised Comcast user's machines much less valuable.
Even home configured business accounts on static IP addresses do not have a super good IT department to prevent compromised machines becoming part of a spam botnet, which is a good reason to not accept mail from home IP blocks.
The truth shall set you free!
Mail is tricky. If it was ANY other service, i would be right there with you, we want a two way internet. People should be able to serve from home. But its email, and that monster brings the internet to its knees if we dont keep it leashed tight.
Good-bye
You can make the same argument for streaming audio, video, cloud services, p2p and internet of things. If you can block one, you can block all. No, the problem of email needs more finesse, no brute force.
Prove anything by multiplying Huge Number times Tiny Number
>Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option.
Yes you do have a choice. If it's that important to you, break the contract and pay the ETF.
Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
I had similar issues, though on a machine hosted outside my home network.
The solution was to implement SPF, pointing to the PTR of machine (i.e. what a reverse IP lookup will resolve to), and DKIM.
In your case, doing a PTR will be hard, since dynamic DHCP may change what the PTR is, but the rest does apply.
I wrote the following detailing what I did: Setting up SPF and DKIM on Postfix.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
If you want to win this, either as a technical challenge or a test of wills between you and Comcast (or Goolge/Yahoo/Microsoft), good luck. Maybe you'll resolve things in a satisfying way eventually. If you do, you will definitely feel like a champ, but it's going to take you a lot of time and frustration to get there.
If you simply want your email server working, then you probably ought to consider sidestepping the fight and just solve the problem instead. You could move the server from a machine hosted in your closet to a VM running on a cloud service. Done right, you can probably increase performance and availability while lowering cost (that 24/7/365 electricity isn't free).
If you read the actual summary up top, you'll see that I am using business class. And yes, I do have a valid domain associate with it, reverse PTR record and all.
Greetings.
I have a Comcast Xfiniti Business line, 5 static IP addresses, etc. It sounds like our mutual set ups are equivalent. I've been running my email servers in my own domains since 1998, through some gone ISP, PacBell/AT&T, and Comcast without issues.
Contact the Comcast business line. Have your actual account ready -- you can get that from the Comcast Business web page for your account. Those numbers changed in the last 12 months to a shorter, simpler format. Request technical support and discuss the issue.
One thing that you MUST do if you want to run your own email: request that Comcast set reverse DNS to point at your servers for the non-authoritative request. A reverse DNS request to your IP address must return the name you use for your primary (and secondary, and so on) MX records. If that's set up, then you've solved 90% of the issues with Gmail and Yahoo!.
As far as Hotmail: they've been rejecting my email unless users white list my address(es) in their individual accounts. This has happened since Microsoft bought them. No way around that, and no appeals; every time I tried to contact them I might as well have sent the emails/requests through a black hole.
Source: 8+ years with Comcast Business, and I moved to a new location (with new IP addresses and new routers) 12 days ago. It took them 10 minutes to set the rDNS and propagate. Within an hour it was resolving fine and any lagging email issues were resolved (36 hours of some undelivered messages).
Google my name "Eugene Ciurana" and ping me through my contact page if you want some assistance with your set up and/or other tips w/dealing with Comcast. I've been a very happy customer with them (they fixed my lines, including physical cable modem replacement due to physical failure, while I was out of the country last January and coordinating with someone who could open the door to them and so on), and in general found that, if you explain what you need and why, their tech guys do work with you to solve issues. The key is understanding that *you* may know more about networking/server set up than their tech guys, so if you aren't specific about what you want they may not grok what you need.
Dear admins: WTF is a lameness filter? What is it filtering? I couldn't offer complete information to this guy because of the Comcast support number and/or IP addresses I listed. With my Karma level and the number of years I've been around, your system ought to be configured to let stuff through w/o issue. Look at my user ID. Thanks.
Cheers!
http://eugeneciurana.com | http://ciurana.eu
You're being blocked because any mail leaving Comcast's IP spaces is expected to come from Comcast's mailservers only.
Configure your mailserver with a "smarthost" option, have it deliver using Authenticated SMTP (with your Comcast account's username and password hardcoded, yes) over SSL on 465, or if you can't do SSL, use 587.
Source: Am currently running Postfix on Comcast successfully delivering to Yahoo Mail with no spamfolder problem via this method. (Am using SPF, no DomainKeys yet.)
More from Comcast on this: http://corporate.comcast.com/c...
o/~ Join us now and share the software
Sex sells; we all know.
However, often you can't simply put it out front because that degrades your message. You need to slip it in. I clicked on the article in the hope of seeing a tit shot. I did, but it really wasn't that good. In any case, I read much of the article for no good reason. I now plan to use this audience-getting technique in my presentations in the future.
(||) Nehmo (||)
Stop trying to host everything yourself. Unless you are a defense contractor or otherwise dealing with extremely sensitive data there is no reason in the year 2014 to run your own mail server.
There is no reason in the year 2014 everyone who wants to should not easily be able to host their own mail servers. None of this is or should be rocket science.
The underlying problem is that SMTP email constitutes the most costly and disastrous failure of any Internet RFC in the history of the world. It needs to be replaced.
I get that you want to. Just stop.
The Internet was never intended to be a network of spectators.
Google is a great provider, has competitive pricing, and great reliability. Their competitors are worth looking at as well.
Google reads your email... not so "great" in my book. The rest are subject to "any tangible thing" / third party doctrine intrusions here in the US... not interested.
Comcast business subscriber here and have what appears to be a very similar config to yours. No problems with mail, checked mxtoolbox anyway and all is green. As many others have said, it's probably something your network did. I've had folks get into mine over the years and cause similar problems for me.
/ip-log/karma.log.11:virus 23.31.69.157 fimble.com NOTQUIT [S=5 - FakeMX NoQuit] X=tarbaby H=mail.fimble.com [23.31.69.157] HELO=[fimble.fimble.com] F=[lollypop@fimble.com] T=[terrydw@mkl.com] S=[Feeling adventurous tonight? Multiple mega hot lasses, free access!]
Hostkarma still had it in the logs.
You sent junk mail; you got blacklisted. Nothing more to see here.
It's an asshole comment.
It little behooves the best of us to comment on the rest of us.
Net Neutrality is a routing philosophy. It doesn't state that recipients of these packets have any obligation to listen.
Wonder what the public key field is for?
I used to smarthost out thru comcast servers, but Ive discovered that the no-hassle option is to pick up an smtp-outbound contract. It is cheap, easy, you can use it on all your mobile equipment and hassle free. And if you set up SPF records you will not have any more trouble. I use DnsMadeEasy.com
You can apply for bulk sender whitelisting from Yahoo!. http://help.yahoo.com/l/us/yahoo/mail/postmaster/bulkv2.html
Deltron 3030 - Virus (music video)
See https://en.wikipedia.org/wiki/...
Facing a similar problem a couple of years ago, I discovered that yahoo provides email filters not only for its webmail users, but also for several other companies. They have a procedure for requesting an exemption from their filters. It took a couple of tries, but I eventually got my server accepted. Here's the form:
http://help.yahoo.com/l/us/yah...
Not that I'm looking to defang anyone from hosting their own e-mail, but when you factor in the cost of the above and amortize it for its expected usage life, it's possibly way cheaper to just go with Office365 hosted Exchange. They take the bandwidth hit on all the filtering, and you have lots of back end bandwidth for syncing all devices. They also have plans that make eDiscovery and online archiving possible. It starts out at $4 a month per user. So say you have 10 employees and need service for 5 years, that's a cost of $2400. Not too shabby!
Life is not for the lazy.
Dear Hawkbug, I'm apologize for my fellow posters spewing forth knee-jerk postings. I have examined your situation and I must say I am puzzled. Your MX and rDNS records are all in order. The domain in question passes the generic email server tests. Your system can obviously communicate out via port 25 or you would not be getting deferred errors from servers and it does not "look like" it is being altered by any proxy. So... Comcast is not blocking your port, nor is your email server defunct. Everything seems in order. What can we conclude? You say the email server was working up until two weeks ago. What has changed? Either the servers offering up the deferred messages have implemented a new policy against you, or Comcast is altering your outgoing port 25 (to test the proxy/manipulation theory, find a friend who has an SMTP server and examine the SMTP logs). Whatever the case, it is something that has changed recently. Did you changed anything on the server? SMTP Banner? FQDN response? Any modifications to your DKIM or SPF? The "Deferred Errors" to me say greylisting. What would get you greylisted? Someone you sent an email to marked it as spam perhaps. Were any sent to the wrong person? Were any profane? Would anyone have mistakenly reported it as spam? Examine the emails you sent right before it stopped working, they may contain clues. My experience says follow the trail of "what changed when it stopped working." Good luck.
I don't recommend using your own private server on a IP that is served by a company that owns residential blocks.
Your IP address can be close to another spammer from comcast and you'll get a very basic response as to why it was blocked. They won't tell you that your entire /24 or anything like that has been blocked due to other people abusing it.
It might not even be a residential client that is doing this but another comcast business user.
If you get a dedicated server in a datacenter, they take reports for spam quite seriously and will disconnect peoples servers much faster than Comcast will disconnect a clients internet.
This is in part that many people using dedicated servers with an email server either as a webhost, company mail server or otherwise. If they get entire subnets blocked, they get a lot of really upset clients /very/ quickly.
So they are a lot more responsible in that regards.
I use eSecureData for my servers and have seen their responses.
As someone whose ISP uses Yahoo for mail, I can report that they appear to block mailing-list messages that are marked as Bulk. As a product tester for Opera and also a moderator on their user forums, I am supposed to be on several of their mailing lists - but never receive any of them. However, mail from that server sent by individual Opera employees comes through just fine. Likewise mailing lists that do not mark there messages as Bulk (from other servers) come through fine - though several (not all) of those lists are actually on Yahoo's servers. (I've had Opera send messages I need to get to a webmail service.)
The server is not blacklisted as I do get mail from it, they are not blocking all mailing lists (other than their own) either, so it appears to be the fact the messages are listed as Priority: Bulk.
Sign your outgoing emails. If it's in the remote user's Spam folder, then it's not blocked, it's filtered. And since your IP is coming from a known poor reputation provider, you already have an uphill battle.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
if your VPS is in the same netblock as a spammer you fall into the same traps
I was under the impression that because the VPS market is more competitive than the home and small business last mile Internet access market. So if one VPS provider is doing a bad job of keeping spammers off its network, you can switch to another.
Hotmail did this to me too, sending from my VPS at 1 and 1. The explanation in their bounce was that it was due to other hosts from the same provider being spammers, etc, but that after my host's reputation was established it would be naturally un-blocked.
That does seem to be what's happened. As I consistently generate non-spam mail toward hotmail/outlook.com accounts, it has been un-blocked and now works without issues.
I'm particularly interested in your case however, since I plan to migrate to Comcast business myself. I'd prefer not to relay through their servers if possible, what with the shenanigans large ISPs seem to want to pull recently re: STARTTLS downgrade attacks, etc.
I like music
I went through this issue as a Comcast customer and feel your pain. Do you have an abuse@yourdomain.com registered with WHOIS? I found this was a requirement as domains started using subscriptions similar to Spamhaus. The alternative is to get the whitelist options as required by RFC from the technical administrator listed in THEIR whois. :)