Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

Posted by timothy on from the why-not-hand-deliver-those-messages? dept.

New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?

57 of 405 comments (clear)

  1. Call Comcast? by Pope · · Score: 5, Insightful

    It's a business account, you should have a business support line.

    --
    It doesn't mean much now, it's built for the future.
    1. Re:Call Comcast? by hawkbug · · Score: 3, Interesting

      And say what exactly? They are not the problem. It's the other email providers blocking me simply because I'm on a Comcast IP.

    2. Re:Call Comcast? by csnydermvpsoft · · Score: 3, Insightful

      There's likely someone else on a nearby IP address with a misbehaving mail server, and your IP address is collateral damage. While they might not be able to fix your problem, the reputation of the IP addresses that they hand out is at least partially your ISP's responsibility.

    3. Re:Call Comcast? by ledow · · Score: 4, Insightful

      Their IP is their management problem. If they were on a spam blocklist, you'd expect to move to another.

      You tell them if you can't send mail from your business account, it's pointless having it.

      Then you terminate the contract because it's now useless and the conditions you can use it under have changed - you can NO LONGER SEND EMAIL.

      Then it's in their court. They can either fix it, or let you out of the contract. If they do neither, you terminate the contract and let them chase you.

    4. Re:Call Comcast? by Anonymous Coward · · Score: 2, Interesting

      Now you know how it feel to be Russian or Chinese and have your mail rejected just because of the ip address you have.

    5. Re:Call Comcast? by DigiShaman · · Score: 4, Informative

      www.mxtoolbox.com is your friend. Run SMTP tests, and check your static IP against a huge list of known black lists.

      I ran into a similar issue with one of my clients behind an rural business-class DSL connection. They were only black listed from SORBS because their netblock range was dynamic (DUHL). Technically, this was true because their "static IP" was really a sticky IP via DHCP with an indefinite lease. But SORBS doesn't give a shit. You're on the DUHL, you're fucked. Only their ISP can talk to SORBS, not the end-user as I understand it. In the end, the client had to subscribe to a Smart Host to get around this.

      With regards to SORBS; admins don't let admins reference SORBS. Fuck them, and their shitty pompous policies!

      --
      Life is not for the lazy.
    6. Re:Call Comcast? by mattventura · · Score: 2

      Comcast provides a smarthost for customers to use. This is nothing new, I had to deal with this years ago. Hell, nowadays they even block outgoing port 25. Just look up what the comcast smarthost is and point your server there. If you're coming from a comcast IP, you don't even have to authenticate or anything.

    7. Re:Call Comcast? by arth1 · · Score: 3, Informative

      Unfortunately this is not the case. I tracked it down. The anti spam service blocks all cable company ip address blocks by default.

      No, they don't. I send e-mail just fine through a cable company IP address. You have to make sure you're not on a residential IP block, and that you request removals from lists like Spamhaus PBL.

    8. Re:Call Comcast? by hawkbug · · Score: 2

      I have verified. I am not on any RBLs as I mentioned in my original question. As for whether or not my IP range is residential, I was told when I signed up that it was not. However, I have no way that I know of to verify that.

    9. Re:Call Comcast? by JimMcc · · Score: 2

      Also, talk to Yahoo, Hotmail, and Gmail about being blocked.

      For the first time every I'm going to use this expression....

      ROTFLMAO

      Unless you have some kind of super squirrel secret agent phone number, or your company is worth billions, please explain how to call any of these companies and actually talk to somebody that can _accurately_ answer your questions and just as importantly has the power to make a change.

    10. Re:Call Comcast? by jonwil · · Score: 2

      The reason why big email providers would be blocking business IP ranges from big ISPs like Comcast as well as residential is probably because they have seen too many people with a "Comcast Business Grade" connection, and no knowledge of whats going on get infected with the same spam-bots as residential connections.

    11. Re:Call Comcast? by rahvin112 · · Score: 3, Informative

      I'm using Comcast Business with 5 static IPs like yourself, I also run my own email services like you. I just sent an email to my gmail account from my domain and it was passed through cleanly, not spam filtered.

      Your IP is likely blacklisted somewhere, that you are flagged in multiple providers says you're on a list somewhere whether that's an RBL (there are literally hundreds of RBLs) or one of the others or you have a configuration issue that is triggering the flag. What have you changed recently or applied security updates to? I had an update at one point that toggled a configuration overwrite and took ages to find because I didn't think the configuration had changed.

    12. Re:Call Comcast? by rahvin112 · · Score: 3, Interesting

      One thing I forgot to mention, in reading the other replies people are claiming that google at least requires DKIM in that they reject all mail without a valid DKIM. My server is setup to use both SPF and DKIM and I'm not having problems.

    13. Re:Call Comcast? by shrikel · · Score: 2

      I have the exact same problem, in Salt Lake City, and I've run into the same issue for a good 2 dozen of my clients on Comcast's network. It is a categorical block of Comcast's IPs, regardless of business / residential status.

      --
      Any sufficiently simple magic can be passed off as mere advanced technology.
    14. Re:Call Comcast? by X0563511 · · Score: 2

      This is big.

      Even if they don't let you set it, you need to make sure it's not pointing at their dynamic residential DNS pool.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  2. Host your email somewhere else by dheltzel · · Score: 5, Informative

    I gave up trying to do this on Comcast and now host my email at Zoho. It's free for the few accounts I need. I now it may not work for everyone, but I got weary fighting those battles.

  3. tl;dr by ihtoit · · Score: 2

    call Comcast, it sounds like it's a "their problem" problem.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:tl;dr by wiredlogic · · Score: 4, Funny

      The Comcast phone slaves won't have a page on their script to fix his problem. Might I suggest pulling the power plug from the router and rebooting the PC, though.

      --
      I am becoming gerund, destroyer of verbs.
  4. I use a virtual host as an MX relay.. by Miguelito · · Score: 2

    When the entire RoadRunner residential IP spaces were blocked, I just got a virtual server (now a Linode) and simply run that as my MX. Helps on inbound mail as well for any times my home connection goes down.. it'll queue up there. I use trusted certs for relaying from home and send mail via authenticated SMTP (TLS required) for mobile devices, via the same virtual host avoiding issues with connectivity to home (which was rare, but now I don't have to worry). I also have the connections between the VM and home box use a port other than 25 to avoid any blocking of port 25 by my ISP (which, for San Diego at least, hasn't happened in years).

    It comes down to $20 a month for the size of vm I got (I also started using it for a few other things too). I also do my greylisting and other anti-spam measure there before it even tries to deliver to my server at home.

    --
    - My favorite error message: xscreensaver, running on an old Sparc 5 w/ 8bit color: bsod: Couldn't allocate color Blue
  5. Probably tagged as DHCP by Sandman1971 · · Score: 2

    I'm guessing that even though you have static IPs Comcast has tagged the /24 (or higher) as DHCP. Most providers are now blocking consumer/business DHCP IP classes.

    --
    It's better to burn out than to fade away
  6. SmartHost Setting by Anonymous Coward · · Score: 2, Informative

    Set Comcast's mail server as your outgoing smart relay in your MTA's config. The other mail systems will accept your mail if it comes through Comcast's server.

  7. Mandrill by jklovanc · · Score: 2

    Use Mandrill as a mail relay.

  8. Google Apps for Business? by grilled-cheese · · Score: 2

    I got mine setup through what is now Google Apps for Business while the bottom tier was still free. Their current cheapest pricing isn't bad if you don't have a lot of email addresses for what you're getting.

  9. Use a relay. by Anonymous Coward · · Score: 2, Insightful

    Stop trying to "fix" comcast. You can't. Find a provider that will act as a relay, which may even be Comcast. Then setup your mail server to relay the mail through that provider.

    You can fix this problem in less than half a day.

  10. Same issue... just relayed all outgoing mail by mlts · · Score: 5, Informative

    I have had the same problem, and this is regardless of providers. Lists of dynamic IP ranges (be it cable, DSL, or other providers) wind up on DUL (dial-up lists), and those are often part of blackhole lists. Since most botnet clients are from DUL-based IPs, E-mail providers just block those as a matter of course.

    What I did was have my private E-mail server use the SMTP server of my ISP for relaying. Problem fixed. However, if you don't have a SMTP server available that allows for different domains, there are commercial services which can relay your outgoing E-mail, which provides "legitimacy" to your messages.

    The exception were direct Exchange connectors. Those were established from Exchange server to Exchange server, so mail would go directly via a secure pipe, and not be relayed.

    1. Re:Same issue... just relayed all outgoing mail by Anon-Admin · · Score: 5, Insightful

      Ditto! I had the same issue and solved it the same way. Comcast has an SMTP relay that will blanket allow all internal ip's. I simply pointed mine to there smtp relay and it was allowed.

    2. Re:Same issue... just relayed all outgoing mail by fgodfrey · · Score: 3, Informative

      You can't use that on a Comcast Business account (or at least my Comcast Business account couldn't). After 4 phone calls, they finally confirmed that their mail server won't send mail for anyone else's domain. Ie, if you own example.com, Comcast's server won't relay mail for foo@example.com only for foo@comcast.net.

      Now.... My information is about 7 months old so maybe they changed this without telling anyone? If your information is newer I should probably revisit my mail configuration.

      Meantime, I just tried from my domain (email server sends directly from a Comcast Business IP) and had no problems sending to Yahoo Mail so they aren't blocking *ALL* Comcast Business IP's. I also have (hopefully) correct reverse DNS on my email server and SPF records in my DNS.

      --
      Go Badgers! -- #include "std/disclaimer.h"
    3. Re:Same issue... just relayed all outgoing mail by whoever57 · · Score: 2

      Bummer. I was hoping that earlier post about using Comcast as my relay would solve it.

      A Comcast residential account can be used to send emails through Comcast's servers with any "from" address (using my Comcast login and smtp auth). I just tried this and it worked. I suggest that you try it with your business account.

      --
      The real "Libtards" are the Libertarians!
    4. Re:Same issue... just relayed all outgoing mail by drakaan · · Score: 3, Informative

      Bear in mind that doing so gives Comcast a copy of every email you send, of course.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  11. VPN to VPS by Cajun+Hell · · Score: 2

    I would get a VPS somewhere (e.g. linode) and install OpenVPN on it. Then VPN between there and your local machine, set up your incoming and outgoing connections to route through there, and update your DNS to point to the VPS. Net effect: you're still on Comcast, but the world sees you as being in some datacenter.

    --
    "Believe me!" -- Donald Trump
  12. Testing and config verification by Xanthvar · · Score: 5, Informative

    I am probably going to repeat things that you already know, but lets start at the basics.

    1. Do you have a PTR/reverse DNS record set up? This has to be done by your ISP, and is not something that you generally do on your own. You generally want it to match the host name for your mail server, but it doesn't have to be a match (but it does look better). Be sure to have an A record for that hostname as well.

    2. Are your MX records pointing to hostnames and not an IP address? Again, you probably are, but we are covering basics here.

    3. Have you checked to see if you are on any blacklists? mxtoolbox.com and dnsstuff.com have some very good tools for checking these things. If you are on one, they often have pretty good instructions on how/why you are listed and what you need to do to get off of it.
    FYI backscatterererererererererer is generally a pain to deal with, good luck if you have to deal with them, you will need it.

    4. Are you(or any other users) forwarding any email to external mail services? We (unfortunately) have several of our clients who are forwarding email from their custom domain name to a yahoo/hotmail/aol (yes, it still exists) email account. The problem with this, is that when they get spam (that they signed up for, like newsletters and bargain alerts), and they forwards to their external account, it looks like our mail server is the one sending the spam, so we get the black mark.

    5. This is the tough one.. are you absolutely sure you are not sending spam? You may need to go so far as to slap a sniffer on your network and see if you are sending out any other email. You may be infected with a virus, or you have an account with compromised credentials that are sending out email.

    6. Are you running SSL/TLS (even though SSL 3 and TLS 1.0 are now dead) with a real (non self signed SSL cert) on your server? SSL certs can be gotten very cheap, $10 year, or possibly even cheaper. They are a minor pain to set up as they need intermediary certs set up, but helps to define that you are a legitimate email sender, rather than a PC with a virus.

    You may be all of these steps, especially if you have been running your own mail sever for 15 years, but I posted these suggestions in the hopes that it may jar something loose.

    Good Luck

    1. Re:Testing and config verification by Rotten · · Score: 2

      I bet the answer for 1) and 2) is NO

      3) is what maybe prompted to get SPF

      4) inevitable but won't force a block on your IP unless it's 1000's of mails daily

      5) you have to protect yourself against password guessing and installing outbound antispam/antivirus for your own mails. it's 2014 ffs.

      6) probably it's a NO, or MAYBE for a self signed certificate.

      Yikes, we could fix the submiter's server for a fee.

    2. Re:Testing and config verification by hawkbug · · Score: 3, Informative

      You guys crack me up. To answer the questions:

      1) Absolutely. The first thing I did when I moved to this net block on comcast is have them create my associated pointer records, so reverse DNS is correct.

      2) Yes, MX records are correct.

      3) I've checked every blacklist using sites like mentioned above. My IP does not exist on a single one.

      4) No forwarding.

      5) Yes, I monitor my network traffic in various ways - and no, I am not sending spam. If I was, it would be a matter of hours before I would show up on an RBL anyway, which I'm not on.

      6) Absolutely. I have paid for a cert that matches my domain. It's not self signed.

      I think some others have brought up some things that I'm not doing:

      1) DKIM. I've read about this, but I didn't realize a lot of people were using it yet. Sounds like they are and that I'm behind the curve here.

      2) DMARC. Same here. I've read about it, but not using it yet.

      I'm also using SPF.

    3. Re:Testing and config verification by Rotten · · Score: 2

      Owwww CMON!

      "3) I've checked every blacklist using sites like mentioned above. My IP does not exist on a single one."

      REALLY??? Senderbase it's just a basic check, if your are talking about the email you use on your slashdot profile:

      http://www.senderbase.org/lookup/?search_string=23.31.69.157

      Whooha:
      "IP Address 23.31.69.126 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
      It was last detected at 2014-11-05 04:00 GMT (+/- 30 minutes), approximately 9 days, 30 minutes ago."

      Now you owe me a beer.

  13. Re:Stop trying to host it yourself. by mlts · · Score: 2

    If possible, I'd definitely host E-mail myself if I were running something bigger than a SOHO where hosted Exchange is my best bet.

    First, I keep physical control of my Exchange mailboxes. Mail might be intercepted, but internal users that send and receive at the same domain are not going to be at the mercy of some nosy (or hacked) provider.

    Second, I know how redundant and secure my E-mail system is. Ideally, I have an edge instance of Exchange for incoming stuff, which gets scanned and then passed to the an instance that runs as a hub. Then, I have another edge Exchange instance for outgoing E-mail, and yet another edge instance for ActiveSync and OWA. This isn't 100%, but it will at least give an intruder a fun time in getting to the juicy stuff, and the actual mailboxe servers are nestled well away from the outside world via firewalling.

    Third, it doesn't take much to use a "legit" relay provider. I personally use Rackspace's Mailgun (although similar offerings are just as good or better.)

    Of course, the downside is the infrastructure. Four copies of Exchange, Active Directory, a good firewall that supports DMZs, and the utilities it takes to back up mailboxes. However, this makes eDiscovery and other regulation compliance quite easy to deal with.

    This is a tough choice. A cloud provider is better than services poorly run, but the best of all is a well run enterprise with company servers so the data has good physical control.

  14. Blacklist by kdub007 · · Score: 2

    Your IP is likely listed on a Blacklist. My company firewall checks a half-dozen or so blacklists and automatically compares them to all incoming email. You need to find out which blacklist is listing your server public IP and contact the blacklist service directly. They can, after some verification process, remove you from the list. I just had this problem with emails coming from a vendor...turns out their IP(s) were blacklisted by one of my blacklist providers. It was mistaken, but it happened nonetheless. My vendor had to get themselves unlisted. I also removed that blacklist provider from my settings.

    --
    The correct answer is 42.
  15. First step is to collect data. by khasim · · Score: 4, Insightful

    He's having problems with 3 services.

    1. GMAIL - messages accepted but marked as spam.

    2. YAHOO - messages rejected (what do the logs say?)

    3. HOTMAIL - messages rejected (what do the logs say?)

    So the first step is to look at the logs and see if the rejection message has any information in it. Do the rejection messages at YAHOO and HOTMAIL have the same code?

    The next step is to check with a service like http://www.dnsgoodies.com/ to make sure that Comcast has configured their side correctly. The reverse DNS should point to your domain. You DO have a domain, right?

    The more information you have before you contact Comcast, the better. Because the first 2 levels won't know anything about anything. They will be reading off of a script.

    1. Re:First step is to collect data. by hawkbug · · Score: 3, Informative

      Thanks for the reply, I appreciate it. To answer your questions:

      1) Yes, I have a domain. The reverse DNS is correct and I have SPF records for the domain. Also, I'm not running an open relay and my mail server and IP address are not on any RBLs.

      2) Each mail service I listed above provides different results. First, Google doesn't send me an email back notifying of an issue. They simply dump the email into the spam folder of whomever I email. Yahoo spits out several messages:

      Deferred: 421 4.7.1 [TS03] All messages from XXX.XXX.XXX.XXX will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/42...

      Deferred: 421 4.7.0 [TS01] Messages from XXX.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/42...

      Hotmail spits back this message:

      Deferred: 421 RP-001 (BAY004-MC5F24) Unfortunately, some messages from XXX.XXX.XXX.XXX weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/trou....

    2. Re:First step is to collect data. by khasim · · Score: 2

      The code is what matters. Here's a site with a bit more info:
      http://tools.ietf.org/html/rfc3463

      If HOTMAIL is rejecting with one code but YAHOO is rejecting with a different code then there may be THREE issues for him to deal with.

      And since he is running a server he will most likely be using port 25. Encryption may change that. But for initial testing purposes he should skip encryption for HOTMAIL and YAHOO until he can determine why his messages are being rejected.

    3. Re:First step is to collect data. by khasim · · Score: 4, Insightful

      Deferred: 421 4.7.0 [TS01] Messages from XXX.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see

      That seems to indicate that at least one of your recipients at YAHOO is actively flagging your messages as spam. Maybe they have incorrectly written a rule that is doing so.

      Deferred: 421 4.7.1 [TS03] All messages from XXX.XXX.XXX.XXX will be permanently deferred; Retrying will NOT succeed.

      ... and ...

      Deferred: 421 RP-001 (BAY004-MC5F24) Unfortunately, some messages from XXX.XXX.XXX.XXX weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day.

      And that one seems to be saying that your IP address is sending too many messages.

      How many messages per day are you sending?

    4. Re:First step is to collect data. by hawkbug · · Score: 2

      Yes, it requires authentication. It is definitely not an open relay or being used for spam, even by a legitimate user who may have had their password hacked or something.

    5. Re:First step is to collect data. by kiphat · · Score: 3, Interesting

      It may be that when one users complains, they block ALL email from your server; not just mail to the complaining account holder.

    6. Re:First step is to collect data. by khasim · · Score: 3, Informative

      So, in other words, both of these messages are crap and not accurate.

      They are similar messages from two different services. It is very unlikely that they are both claiming the same problem ... incorrectly.

      You've had those IP addresses for 2 years without problems so it probably is not a pre-existing issue with the IP addresses.

      Do you have a firewall that you can configure to monitor outbound port 25 attempts from your network? Or do you know how to use a sniffer such as Wireshark to do so?

      Or can you move your email server to one of the other IP addresses you have? And see if it is still blocked?

      Right now it is looking like the problem is on your network. Not Comcast and not GMAIL or YAHOO or HOTMAIL. I might be wrong. But if it were me, I'd test my network first. Otherwise, even if you do get through to YAHOO or HOTMAIL they'll look at the logs and say the same thing.

    7. Re:First step is to collect data. by hawkbug · · Score: 2

      Yes, before I brought this question to Slashdot, I did my homework first. I've scoured logs, check RBLs, used wireshark, etc. It's definitely not a misconfiguration on my end or an issue with complaints resulting from spam. The traffic coming from my server is so ridiculously small, that I was shocked to begin getting messages like these from those email providers.

      The only conclusion that I can draw is that these major providers all use the same dynamic, or what they interpret as dynamic anyhow, IP lists and block based on them. I can understand that... the part that I have an issue with is that I have no recourse to have my IP reevaluated.

    8. Re:First step is to collect data. by hawkbug · · Score: 2

      Exactly. I would love to know what centralized IP blacklist that those 3 providers use.

    9. Re:First step is to collect data. by khasim · · Score: 4, Informative

      The traffic coming from my server is so ridiculously small, that I was shocked to begin getting messages like these from those email providers.

      Not your server.

      Your network.

      Monitor the traffic going into or out-of your cable modem to see what is happening on outbound port 25 for that IP address. Do this for 24 hours.

      Move your mail server to a different IP address if that is possible. You have 5 addresses, right?

      The rejection messages are saying that YAHOO and HOTMAIL are seeing too many messages from your specific IP address.

      GMAIL is accepting the messages but flagging them as spam.

      It is extremely unlikely that three competing services are all using the same SMTP-blacklist (that they refuse to identify) to reject messages.

    10. Re:First step is to collect data. by hawkbug · · Score: 2

      Yes, I have 5 IPs. It's a pain, but yes, I can try one of the others. In regards to the cable modem - it's set up in a manner that the single outgoing IP for my mail server is directly linked to it. So, when I say I ran wireshark on the traffic, I did so for that IP. It is the only machine on the network that uses that IP. The results were well within what I expected for email traffic. Most of the traffic is incoming spam, and the only outgoing messages are being sent by valid users - and not many of them at that.

    11. Re:First step is to collect data. by DigiShaman · · Score: 2

      https://ers.trendmicro.com/rep...

      It's not on any known blacklists, but it's a major one that many use.

      --
      Life is not for the lazy.
    12. Re:First step is to collect data. by rahvin112 · · Score: 2

      Gmail at least doesn't use blacklists. They have custom spam filtering built off their huge position in email.

    13. Re:First step is to collect data. by khasim · · Score: 2

      It is the only machine on the network that uses that IP.

      ON A WIRED WORKSTATION ON THAT NETWORK, go to http://www.whatismyip.com/ and see if the IP address it reports ends in .157.

      ON A WIRELESS DEVICE ON THAT NETWORK, do the same.

      This will tell you whether a machine on your network may be sending spam from the same address as your email server.

    14. Re:First step is to collect data. by IcyWolfy · · Score: 2

      Users are assigned 5 IP addresses.
      Many block lists are not that granular blocking a /32 address.

      Thus, with the user's 23.32.69.15 address:
      If they block 23.32.69.15 /31 (.12 to .15) addresses, that would cover 4 IPs. We do not know if he owns all 4, but it would mean his 5th IP may escape the block. If he doesn't have all 4 in that block, then someone else, assigned an adjacent IP could have triggered the block.

      If they block 23.32.69.15/30 (.8 to .15) That would cover 8 IPs, a rule which could be triggered by someone unrelated to him that happens to have an ajacent IP address.

      It really depends on how granular the block is.
      I have pretty much never seen anyone block specific IP addresses before in Emal spam prevention.
      Normally, I only see /25 (128 IP addresses) blocks and rarely /26 (64 IP address blocks). And provable exceptions within those blocks get white-listed.
      It's much easier on the spam processing filter to minimize the number of potential rules. So, we over-block. And almost never get any complaints. The major commercial IPs are white-listed at the ACCEPT level (may be further down the line be flagged as SPAM)

    15. Re:First step is to collect data. by DigiShaman · · Score: 2

      I agree, if only to diagnose the original problem. But regardless, outbound port 25 should be restricted in the LAN with the exception of your e-mail server. That way, if a machine is infected, it can't blow SPAM out and sully the reputation of your public IP.

      --
      Life is not for the lazy.
    16. Re:First step is to collect data. by AK+Marc · · Score: 2
      You've done so much pre-work that you argue with everyone trying to help.

      the part that I have an issue with is that I have no recourse to have my IP reevaluated.

      Ah, you just came here to bitch about it because you are helpless. That's why you are rejecting all the help offered.

      --
      Learn to love Alaska
  16. Professional Mass Emailer by Mullen · · Score: 2

    At the company I work at, I run several large high volume mass mailing servers that send million of messages a month (50 million last month). Here is what I recommend you do:

    1) Get forward and reverse DNS setup and most importantly, the forward and reverse DNS information must match.

    2) Set up and use DKIM for all outbound traffic.

    3) Have the SPF information in your DNS records. Don't put your block of IP's in SPF record, just the one IP that you use for sending email. Make sure there is a "-all" in the records so that it makes it clear that all other email claiming to be you is discarded by other server.

    4) You will need to setup Feed Back Loops and proper SWIP (If possible) contact information. You will need to go to the big 10 ISP's and submit the FBL information to them and get put on their White Lists. Don't lie to them, just tell them your personal email server that is having issues sending mail to them and you want to get on their White List. FBL's are usually for people who send high volumes of mail, include Newsletters and some "spammy" mail, but I find it helps regular mail servers if you set up FBL information.

    --
    Linux O Muerte!
  17. Re:Stop trying to host it yourself. by ahodgson · · Score: 2

    Yeah fuck that. I can host my own mail just fine, thanks. Google owns enough of the world.

  18. Comcast Business User With Own Mail Servers Here by ciurana · · Score: 4, Interesting

    Greetings.

    I have a Comcast Xfiniti Business line, 5 static IP addresses, etc. It sounds like our mutual set ups are equivalent. I've been running my email servers in my own domains since 1998, through some gone ISP, PacBell/AT&T, and Comcast without issues.

    Contact the Comcast business line. Have your actual account ready -- you can get that from the Comcast Business web page for your account. Those numbers changed in the last 12 months to a shorter, simpler format. Request technical support and discuss the issue.

    One thing that you MUST do if you want to run your own email: request that Comcast set reverse DNS to point at your servers for the non-authoritative request. A reverse DNS request to your IP address must return the name you use for your primary (and secondary, and so on) MX records. If that's set up, then you've solved 90% of the issues with Gmail and Yahoo!.

    As far as Hotmail: they've been rejecting my email unless users white list my address(es) in their individual accounts. This has happened since Microsoft bought them. No way around that, and no appeals; every time I tried to contact them I might as well have sent the emails/requests through a black hole.

    Source: 8+ years with Comcast Business, and I moved to a new location (with new IP addresses and new routers) 12 days ago. It took them 10 minutes to set the rDNS and propagate. Within an hour it was resolving fine and any lagging email issues were resolved (36 hours of some undelivered messages).

    Google my name "Eugene Ciurana" and ping me through my contact page if you want some assistance with your set up and/or other tips w/dealing with Comcast. I've been a very happy customer with them (they fixed my lines, including physical cable modem replacement due to physical failure, while I was out of the country last January and coordinating with someone who could open the door to them and so on), and in general found that, if you explain what you need and why, their tech guys do work with you to solve issues. The key is understanding that *you* may know more about networking/server set up than their tech guys, so if you aren't specific about what you want they may not grok what you need.

    Dear admins: WTF is a lameness filter? What is it filtering? I couldn't offer complete information to this guy because of the Comcast support number and/or IP addresses I listed. With my Karma level and the number of years I've been around, your system ought to be configured to let stuff through w/o issue. Look at my user ID. Thanks.

    Cheers!

    --
    http://eugeneciurana.com | http://ciurana.eu
  19. Smarthost out via SMTP.Comcast.net on 465 or 587 by Hobart · · Score: 2

    You're being blocked because any mail leaving Comcast's IP spaces is expected to come from Comcast's mailservers only.

    Configure your mailserver with a "smarthost" option, have it deliver using Authenticated SMTP (with your Comcast account's username and password hardcoded, yes) over SSL on 465, or if you can't do SSL, use 587.

    Source: Am currently running Postfix on Comcast successfully delivering to Yahoo Mail with no spamfolder problem via this method. (Am using SPF, no DomainKeys yet.)

    More from Comcast on this: http://corporate.comcast.com/c...

    --
    o/~ Join us now and share the software ...