Comcast blocking 82.103.134.102 (noscript, informaction)

[username]

The reason given by the Comcast Security Department (888-565-4329) is that a trojan is communicating with 82.103.134.102. Click on the "Virus Characteristics" tab of this McAfee bulletin.

Trojan connects to following IP's through port 25:
209.85.231.147
82.103.134.102
74.125.148.13
216.239.32.10

Giorgio, could you work with them to get your ip unblocked?

[Giorgio Maone]

I've got no idea of why they're connecting to that IP, since it's not an open relay.
The other IPs belong to Google Inc., BTW.
Furthermore, I could live even with port 25 blocked on my IP, because the MX record is on a different IP.
However, could you ask Comcast to block just port 25?

[username]

I've got no idea of why they're connecting to that IP, since it's not an open relay.
The other IPs belong to Google Inc., BTW.
Furthermore, I could live even with port 25 blocked on my IP, because the MX record is on a different IP.
However, could you ask Comcast to block just port 25?

I tried, but it doesn't look like I have standing to alter/reverse their "security" decisions, they did indicate they would work with the ip/site owner though.

[Giorgio Maone]

I used their form for "spammy ISP", detailing the issue in the notes.
Hope it works...

[username]

I used their form for "spammy ISP", detailing the issue in the notes.
Hope it works...

They suggested that you call their security department:
http://security.comcast.net/get-help/co ... urity.aspx
888-565-4329

[Giorgio Maone]

Comcast Assistance Chat transcript follows:

user Giorgio has entered room


Giorgio(Fri Jan 15 2010 04:01:00 GMT+0100)>

IP blockage problem


analyst Rachel has entered room


Rachel(Fri Jan 15 2010 04:01:04 GMT+0100)>

Hello Giorgio, Thank you for contacting Comcast Live Chat Support. My name is Rachel. Please give me one moment to review your information.


Rachel(Fri Jan 15 2010 04:01:08 GMT+0100)>

I apologize for having to go through the hassle of chatting with us, but rest assured, I will be more than glad to help you out.


Rachel(Fri Jan 15 2010 04:01:27 GMT+0100)>

Giorgio, how are you doing today?


Rachel(Fri Jan 15 2010 04:01:28 GMT+0100)>

How may I be of assistance to you?


Giorgio(Fri Jan 15 2010 10:01:52 GMT+0100)>

Hello, I'm the developer of the NoScript and FlashGot Firefox extensions. An user of mine, which is a Comcast user, reported an issue with our websites.


Giorgio(Fri Jan 15 2010 10:01:57 GMT+0100)>

You're blocking our IP.


Giorgio(Fri Jan 15 2010 10:02:19 GMT+0100)>

See http://forums.informaction.com/viewtopi ... 149#p15149


Rachel(Fri Jan 15 2010 04:02:39 GMT+0100)>

Giogio, may I please know how is comcast blocking your ip.


Giorgio(Fri Jan 15 2010 10:02:57 GMT+0100)>

See the link above


Giorgio(Fri Jan 15 2010 10:03:08 GMT+0100)>

Apparently you're blocking also 4 Google IPs


Giorgio(Fri Jan 15 2010 10:03:35 GMT+0100)>

Because of a McAfee report


Giorgio(Fri Jan 15 2010 10:04:57 GMT+0100)>

Now, I'm OK with you blocking port 25 (even though I've got no idea of the reason of that traffic, since it's not an open relay), but blocking the IP outright is 1) useless (the traffic, as reported by McAfee, is only towards port 25), 2) damaging, because users can't reach our websites for support.


Rachel(Fri Jan 15 2010 04:05:37 GMT+0100)>

Let me check this for you Giorgio.


Rachel(Fri Jan 15 2010 04:05:43 GMT+0100)>

Please give me 2 to 4 minutes.


Rachel(Fri Jan 15 2010 04:06:44 GMT+0100)>

Giorgio, may I please know if the blocked was for sending email to you address.


Giorgio(Fri Jan 15 2010 10:08:51 GMT+0100)>

I've got no idea. I did not receive any "suspect" message, but I've got a really effective spamassassin setup.


Giorgio(Fri Jan 15 2010 10:09:40 GMT+0100)>

That said, the IP in question is not even the proper MX. It's the Web server IP.


Rachel(Fri Jan 15 2010 04:10:02 GMT+0100)>

One moment please.


Rachel(Fri Jan 15 2010 04:11:11 GMT+0100)>

May I please know what is the the name of your organization that the ip belongs to that is being blocked.


Giorgio(Fri Jan 15 2010 10:11:46 GMT+0100)>

InformAction scarl, http://www.informaction.com


Rachel(Fri Jan 15 2010 04:11:57 GMT+0100)>

Thank you.


Rachel(Fri Jan 15 2010 04:12:44 GMT+0100)>

Giorgio, is you client wanting to send email to your organization but is being blocked?


Giorgio(Fri Jan 15 2010 10:13:40 GMT+0100)>

Apparently he was trying to access our websites, http://noscript.net, http://forums.informaction.com


Giorgio(Fri Jan 15 2010 10:14:30 GMT+0100)>

If you're just blocking 82.103.134.102 he should be able to reach us by email, since the MX is on a different IP.


Giorgio(Fri Jan 15 2010 10:14:41 GMT+0100)>

82.103.134.102 is our web server IP


Giorgio(Fri Jan 15 2010 10:15:11 GMT+0100)>

That's why I suspect you're blocking the whole IP, rather than just port 25 (which would be fine for us)


Rachel(Fri Jan 15 2010 04:15:42 GMT+0100)>

Giogio, please let me inform you we do not block ip addresses.


Rachel(Fri Jan 15 2010 04:16:13 GMT+0100)>

Please do advise your comcast client to contact us so that we could check on his settings.


Giorgio(Fri Jan 15 2010 10:16:28 GMT+0100)>

Mmmm, so your user is misinformed? He said he talked with your call center. Did you read the forum thread?


Rachel(Fri Jan 15 2010 04:16:39 GMT+0100)>

I did, Giorgio.


Giorgio(Fri Jan 15 2010 10:16:45 GMT+0100)>

Your call center suggested that I contacted you.


Rachel(Fri Jan 15 2010 04:16:54 GMT+0100)>

Comcast do not block ip addresses.


Giorgio(Fri Jan 15 2010 10:17:29 GMT+0100)>

So you're able to reach http://noscript.net ?


Rachel(Fri Jan 15 2010 04:17:37 GMT+0100)>

Yes Giorgio.


Giorgio(Fri Jan 15 2010 10:17:46 GMT+0100)>

(I mean through the comcast consumer network)


Giorgio(Fri Jan 15 2010 10:17:48 GMT+0100)>

OK


Giorgio(Fri Jan 15 2010 10:18:05 GMT+0100)>

I'll paste this conversation on the thread, then, and see what he does.


Rachel(Fri Jan 15 2010 04:18:01 GMT+0100)>

Yes Giorgio.


Rachel(Fri Jan 15 2010 04:18:10 GMT+0100)>

We can access your website.


Giorgio(Fri Jan 15 2010 10:18:37 GMT+0100)>

OK, I'm gonna quote you. Thanks for this conversation.


Rachel(Fri Jan 15 2010 04:19:31 GMT+0100)>

Alright, Giorgio.


Rachel(Fri Jan 15 2010 04:19:37 GMT+0100)>

Have I answered all of your concerns today? Do you have any further questions that you want me to address? It will be my pleasure to help you with that.


Giorgio(Fri Jan 15 2010 10:20:38 GMT+0100)>

No, thanks. I contacted you just because that user told me you needed me to.

[username]

Giorgio,

I posted the number of the Comcast security department (888-565-4329). This is whom you need to speak to. Perhaps you were misled by the chat link on the security page, but there is no specialized security chat, it's just regular Comcast chat support and they are not qualified to deal with this, to put it mildly.

[therube]

Ah, so that's why I've been unable to load anything "maone" (from home).

Would PING/TRACERT show anything of interest.
If so, what IP/domain should I use?

Last evening when I still couldn't connect, I reset my modem, restarted my computer ... thinking it could have been a messed up DNS, but that did not help.

Maybe there's someone at McAfee you could contact to find out why your IP shows in their report?

[Giorgio Maone]

Could some customer of theirs (therube?) call pointing them to this thread? Thanks.

[therube]

McAfee TrustedSource: informaction

[Giorgio Maone]

McAfee TrustedSource: informaction

Did you try to talk with them?

[Jim Too]

I did a trace last night using DNSSTUFF when I saw the problem reported in a comcast help forum. What I found at the time was the routing taken to all the routers on the DNSSTUFF trace up to and including 80.91.249.194 (TELIANET) was the same. The next router (89.150.89.203, DBNET-AS), which is the last one in the DNSSTUFF trace before noscript.net (82.103.134.102) took an entirely different path through comcast and used a different network once it left comcast's. I don't recall if that next to last hop responded or not.

Seeing this entry (I'm at work) I redid the DNSSTUFF tracing. What is interesting is DNSSTUFF also takes a totally different route to 89.150.89.203 (using LEVEL3) when I trace to it directly then when I trace to noscript.net. I didn't think to try that last night. When I trace to noscript.net (using DNSSTUFF) ATT.NET and TELIA.NET are used (LEVEL3 isn't in the picture). Routing being what it is, the return path used might be different than the path taken to get to noscript.net. It might be interesting to see what a trace from Giorgio's end to a Comcast router looks like.

[username]

Could some customer of theirs (therube?) call pointing them to this thread? Thanks.

I have spoken to them (Security Department) before starting this thread, they have blocked your ip deliberately and though I asked them to review their decision, it didn't seem like that would be enough. They suggested that you (the ip/site owner) call them (888-565-4329) to resolve this. You seem to be reluctant, why?

[Giorgio Maone]

Could some customer of theirs (therube?) call pointing them to this thread? Thanks.

I have spoken to them (Security Department) before starting this thread, they have blocked your ip deliberately and though I asked them to review their decision, it didn't seem like that would be enough. They suggested that you (the ip/site owner) call them (888-565-4329) to resolve this. You seem to be reluctant, why?

Because my landline is currently broken and I'm in queue since 3 hours ago on my cell phone to talk with a f**g Tiscali technician.

[Giorgio Maone]

I went through their chat system again and a "Sara Joy" asked me for a phone number to connect their security dep to.
I gave them another cell of mine, and they should be about to call (let's hope so), she said 10-20 minutes 15 minutes ago.