Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

Posted by timothy on from the why-not-hand-deliver-those-messages? dept.

New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?

23 of 405 comments (clear)

  1. Call Comcast? by Pope · · Score: 5, Insightful

    It's a business account, you should have a business support line.

    --
    It doesn't mean much now, it's built for the future.
    1. Re:Call Comcast? by hawkbug · · Score: 3, Interesting

      And say what exactly? They are not the problem. It's the other email providers blocking me simply because I'm on a Comcast IP.

    2. Re:Call Comcast? by csnydermvpsoft · · Score: 3, Insightful

      There's likely someone else on a nearby IP address with a misbehaving mail server, and your IP address is collateral damage. While they might not be able to fix your problem, the reputation of the IP addresses that they hand out is at least partially your ISP's responsibility.

    3. Re:Call Comcast? by ledow · · Score: 4, Insightful

      Their IP is their management problem. If they were on a spam blocklist, you'd expect to move to another.

      You tell them if you can't send mail from your business account, it's pointless having it.

      Then you terminate the contract because it's now useless and the conditions you can use it under have changed - you can NO LONGER SEND EMAIL.

      Then it's in their court. They can either fix it, or let you out of the contract. If they do neither, you terminate the contract and let them chase you.

    4. Re:Call Comcast? by DigiShaman · · Score: 4, Informative

      www.mxtoolbox.com is your friend. Run SMTP tests, and check your static IP against a huge list of known black lists.

      I ran into a similar issue with one of my clients behind an rural business-class DSL connection. They were only black listed from SORBS because their netblock range was dynamic (DUHL). Technically, this was true because their "static IP" was really a sticky IP via DHCP with an indefinite lease. But SORBS doesn't give a shit. You're on the DUHL, you're fucked. Only their ISP can talk to SORBS, not the end-user as I understand it. In the end, the client had to subscribe to a Smart Host to get around this.

      With regards to SORBS; admins don't let admins reference SORBS. Fuck them, and their shitty pompous policies!

      --
      Life is not for the lazy.
    5. Re:Call Comcast? by arth1 · · Score: 3, Informative

      Unfortunately this is not the case. I tracked it down. The anti spam service blocks all cable company ip address blocks by default.

      No, they don't. I send e-mail just fine through a cable company IP address. You have to make sure you're not on a residential IP block, and that you request removals from lists like Spamhaus PBL.

    6. Re:Call Comcast? by rahvin112 · · Score: 3, Informative

      I'm using Comcast Business with 5 static IPs like yourself, I also run my own email services like you. I just sent an email to my gmail account from my domain and it was passed through cleanly, not spam filtered.

      Your IP is likely blacklisted somewhere, that you are flagged in multiple providers says you're on a list somewhere whether that's an RBL (there are literally hundreds of RBLs) or one of the others or you have a configuration issue that is triggering the flag. What have you changed recently or applied security updates to? I had an update at one point that toggled a configuration overwrite and took ages to find because I didn't think the configuration had changed.

    7. Re:Call Comcast? by rahvin112 · · Score: 3, Interesting

      One thing I forgot to mention, in reading the other replies people are claiming that google at least requires DKIM in that they reject all mail without a valid DKIM. My server is setup to use both SPF and DKIM and I'm not having problems.

  2. Host your email somewhere else by dheltzel · · Score: 5, Informative

    I gave up trying to do this on Comcast and now host my email at Zoho. It's free for the few accounts I need. I now it may not work for everyone, but I got weary fighting those battles.

  3. Re:tl;dr by wiredlogic · · Score: 4, Funny

    The Comcast phone slaves won't have a page on their script to fix his problem. Might I suggest pulling the power plug from the router and rebooting the PC, though.

    --
    I am becoming gerund, destroyer of verbs.
  4. Same issue... just relayed all outgoing mail by mlts · · Score: 5, Informative

    I have had the same problem, and this is regardless of providers. Lists of dynamic IP ranges (be it cable, DSL, or other providers) wind up on DUL (dial-up lists), and those are often part of blackhole lists. Since most botnet clients are from DUL-based IPs, E-mail providers just block those as a matter of course.

    What I did was have my private E-mail server use the SMTP server of my ISP for relaying. Problem fixed. However, if you don't have a SMTP server available that allows for different domains, there are commercial services which can relay your outgoing E-mail, which provides "legitimacy" to your messages.

    The exception were direct Exchange connectors. Those were established from Exchange server to Exchange server, so mail would go directly via a secure pipe, and not be relayed.

    1. Re:Same issue... just relayed all outgoing mail by Anon-Admin · · Score: 5, Insightful

      Ditto! I had the same issue and solved it the same way. Comcast has an SMTP relay that will blanket allow all internal ip's. I simply pointed mine to there smtp relay and it was allowed.

    2. Re:Same issue... just relayed all outgoing mail by fgodfrey · · Score: 3, Informative

      You can't use that on a Comcast Business account (or at least my Comcast Business account couldn't). After 4 phone calls, they finally confirmed that their mail server won't send mail for anyone else's domain. Ie, if you own example.com, Comcast's server won't relay mail for foo@example.com only for foo@comcast.net.

      Now.... My information is about 7 months old so maybe they changed this without telling anyone? If your information is newer I should probably revisit my mail configuration.

      Meantime, I just tried from my domain (email server sends directly from a Comcast Business IP) and had no problems sending to Yahoo Mail so they aren't blocking *ALL* Comcast Business IP's. I also have (hopefully) correct reverse DNS on my email server and SPF records in my DNS.

      --
      Go Badgers! -- #include "std/disclaimer.h"
    3. Re:Same issue... just relayed all outgoing mail by drakaan · · Score: 3, Informative

      Bear in mind that doing so gives Comcast a copy of every email you send, of course.

      --
      "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  5. Testing and config verification by Xanthvar · · Score: 5, Informative

    I am probably going to repeat things that you already know, but lets start at the basics.

    1. Do you have a PTR/reverse DNS record set up? This has to be done by your ISP, and is not something that you generally do on your own. You generally want it to match the host name for your mail server, but it doesn't have to be a match (but it does look better). Be sure to have an A record for that hostname as well.

    2. Are your MX records pointing to hostnames and not an IP address? Again, you probably are, but we are covering basics here.

    3. Have you checked to see if you are on any blacklists? mxtoolbox.com and dnsstuff.com have some very good tools for checking these things. If you are on one, they often have pretty good instructions on how/why you are listed and what you need to do to get off of it.
    FYI backscatterererererererererer is generally a pain to deal with, good luck if you have to deal with them, you will need it.

    4. Are you(or any other users) forwarding any email to external mail services? We (unfortunately) have several of our clients who are forwarding email from their custom domain name to a yahoo/hotmail/aol (yes, it still exists) email account. The problem with this, is that when they get spam (that they signed up for, like newsletters and bargain alerts), and they forwards to their external account, it looks like our mail server is the one sending the spam, so we get the black mark.

    5. This is the tough one.. are you absolutely sure you are not sending spam? You may need to go so far as to slap a sniffer on your network and see if you are sending out any other email. You may be infected with a virus, or you have an account with compromised credentials that are sending out email.

    6. Are you running SSL/TLS (even though SSL 3 and TLS 1.0 are now dead) with a real (non self signed SSL cert) on your server? SSL certs can be gotten very cheap, $10 year, or possibly even cheaper. They are a minor pain to set up as they need intermediary certs set up, but helps to define that you are a legitimate email sender, rather than a PC with a virus.

    You may be all of these steps, especially if you have been running your own mail sever for 15 years, but I posted these suggestions in the hopes that it may jar something loose.

    Good Luck

    1. Re:Testing and config verification by hawkbug · · Score: 3, Informative

      You guys crack me up. To answer the questions:

      1) Absolutely. The first thing I did when I moved to this net block on comcast is have them create my associated pointer records, so reverse DNS is correct.

      2) Yes, MX records are correct.

      3) I've checked every blacklist using sites like mentioned above. My IP does not exist on a single one.

      4) No forwarding.

      5) Yes, I monitor my network traffic in various ways - and no, I am not sending spam. If I was, it would be a matter of hours before I would show up on an RBL anyway, which I'm not on.

      6) Absolutely. I have paid for a cert that matches my domain. It's not self signed.

      I think some others have brought up some things that I'm not doing:

      1) DKIM. I've read about this, but I didn't realize a lot of people were using it yet. Sounds like they are and that I'm behind the curve here.

      2) DMARC. Same here. I've read about it, but not using it yet.

      I'm also using SPF.

  6. First step is to collect data. by khasim · · Score: 4, Insightful

    He's having problems with 3 services.

    1. GMAIL - messages accepted but marked as spam.

    2. YAHOO - messages rejected (what do the logs say?)

    3. HOTMAIL - messages rejected (what do the logs say?)

    So the first step is to look at the logs and see if the rejection message has any information in it. Do the rejection messages at YAHOO and HOTMAIL have the same code?

    The next step is to check with a service like http://www.dnsgoodies.com/ to make sure that Comcast has configured their side correctly. The reverse DNS should point to your domain. You DO have a domain, right?

    The more information you have before you contact Comcast, the better. Because the first 2 levels won't know anything about anything. They will be reading off of a script.

    1. Re:First step is to collect data. by hawkbug · · Score: 3, Informative

      Thanks for the reply, I appreciate it. To answer your questions:

      1) Yes, I have a domain. The reverse DNS is correct and I have SPF records for the domain. Also, I'm not running an open relay and my mail server and IP address are not on any RBLs.

      2) Each mail service I listed above provides different results. First, Google doesn't send me an email back notifying of an issue. They simply dump the email into the spam folder of whomever I email. Yahoo spits out several messages:

      Deferred: 421 4.7.1 [TS03] All messages from XXX.XXX.XXX.XXX will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/42...

      Deferred: 421 4.7.0 [TS01] Messages from XXX.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/42...

      Hotmail spits back this message:

      Deferred: 421 RP-001 (BAY004-MC5F24) Unfortunately, some messages from XXX.XXX.XXX.XXX weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/trou....

    2. Re:First step is to collect data. by khasim · · Score: 4, Insightful

      Deferred: 421 4.7.0 [TS01] Messages from XXX.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see

      That seems to indicate that at least one of your recipients at YAHOO is actively flagging your messages as spam. Maybe they have incorrectly written a rule that is doing so.

      Deferred: 421 4.7.1 [TS03] All messages from XXX.XXX.XXX.XXX will be permanently deferred; Retrying will NOT succeed.

      ... and ...

      Deferred: 421 RP-001 (BAY004-MC5F24) Unfortunately, some messages from XXX.XXX.XXX.XXX weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day.

      And that one seems to be saying that your IP address is sending too many messages.

      How many messages per day are you sending?

    3. Re:First step is to collect data. by kiphat · · Score: 3, Interesting

      It may be that when one users complains, they block ALL email from your server; not just mail to the complaining account holder.

    4. Re:First step is to collect data. by khasim · · Score: 3, Informative

      So, in other words, both of these messages are crap and not accurate.

      They are similar messages from two different services. It is very unlikely that they are both claiming the same problem ... incorrectly.

      You've had those IP addresses for 2 years without problems so it probably is not a pre-existing issue with the IP addresses.

      Do you have a firewall that you can configure to monitor outbound port 25 attempts from your network? Or do you know how to use a sniffer such as Wireshark to do so?

      Or can you move your email server to one of the other IP addresses you have? And see if it is still blocked?

      Right now it is looking like the problem is on your network. Not Comcast and not GMAIL or YAHOO or HOTMAIL. I might be wrong. But if it were me, I'd test my network first. Otherwise, even if you do get through to YAHOO or HOTMAIL they'll look at the logs and say the same thing.

    5. Re:First step is to collect data. by khasim · · Score: 4, Informative

      The traffic coming from my server is so ridiculously small, that I was shocked to begin getting messages like these from those email providers.

      Not your server.

      Your network.

      Monitor the traffic going into or out-of your cable modem to see what is happening on outbound port 25 for that IP address. Do this for 24 hours.

      Move your mail server to a different IP address if that is possible. You have 5 addresses, right?

      The rejection messages are saying that YAHOO and HOTMAIL are seeing too many messages from your specific IP address.

      GMAIL is accepting the messages but flagging them as spam.

      It is extremely unlikely that three competing services are all using the same SMTP-blacklist (that they refuse to identify) to reject messages.

  7. Comcast Business User With Own Mail Servers Here by ciurana · · Score: 4, Interesting

    Greetings.

    I have a Comcast Xfiniti Business line, 5 static IP addresses, etc. It sounds like our mutual set ups are equivalent. I've been running my email servers in my own domains since 1998, through some gone ISP, PacBell/AT&T, and Comcast without issues.

    Contact the Comcast business line. Have your actual account ready -- you can get that from the Comcast Business web page for your account. Those numbers changed in the last 12 months to a shorter, simpler format. Request technical support and discuss the issue.

    One thing that you MUST do if you want to run your own email: request that Comcast set reverse DNS to point at your servers for the non-authoritative request. A reverse DNS request to your IP address must return the name you use for your primary (and secondary, and so on) MX records. If that's set up, then you've solved 90% of the issues with Gmail and Yahoo!.

    As far as Hotmail: they've been rejecting my email unless users white list my address(es) in their individual accounts. This has happened since Microsoft bought them. No way around that, and no appeals; every time I tried to contact them I might as well have sent the emails/requests through a black hole.

    Source: 8+ years with Comcast Business, and I moved to a new location (with new IP addresses and new routers) 12 days ago. It took them 10 minutes to set the rDNS and propagate. Within an hour it was resolving fine and any lagging email issues were resolved (36 hours of some undelivered messages).

    Google my name "Eugene Ciurana" and ping me through my contact page if you want some assistance with your set up and/or other tips w/dealing with Comcast. I've been a very happy customer with them (they fixed my lines, including physical cable modem replacement due to physical failure, while I was out of the country last January and coordinating with someone who could open the door to them and so on), and in general found that, if you explain what you need and why, their tech guys do work with you to solve issues. The key is understanding that *you* may know more about networking/server set up than their tech guys, so if you aren't specific about what you want they may not grok what you need.

    Dear admins: WTF is a lameness filter? What is it filtering? I couldn't offer complete information to this guy because of the Comcast support number and/or IP addresses I listed. With my Karma level and the number of years I've been around, your system ought to be configured to let stuff through w/o issue. Look at my user ID. Thanks.

    Cheers!

    --
    http://eugeneciurana.com | http://ciurana.eu