Reply
Visitor
Posts: 4
Registered: ‎12-31-2006
Accepted Solution

Legitimate? : Comcast Online communication: Action required to maintain security benefit

I received an email 'from'  Comcast Online Communications" with

subject 'Important - Action required to maintain security benefit"

 

I've had a mild spate of spam this last week, and this sounded classically suspicious, so (outlook express) right clicked and looked at properties->message source 

and the email contains no readable text, just looks like probably executable code.

 

Chatted with a service rep (Norton) and found out that comcast is/has switched from Mcafee to Norton.

He thought maybe it was a mailing of a Norton installer.... but it bothers me that there is no message explaining what it is.

 

Not to mention it surprised the heck out of me to learn of the switch. Have not gotten any notice about that before now.

 

Anyway, can anyone provide some insight?  On one hand, I don't want to delete the email if I really need to run it ... on the other hand, I don't want to run it until I know whether it is legitimate <sigh> 

 

Thanks !

 

Service Expert
Queen-Evie
Posts: 14,021
Registered: ‎02-04-2004

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Delete it. If you want to download Norton, you can do so from here: http://security.comcast.net/?cid=NET_33_0

 

If it is indeed a Norton installer, it's from someone whose intentions are not good and not from Comcast.

 

Could you post the headers of the mail for someone to look at?

 



 


Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.
Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

Visitor
Posts: 4
Registered: ‎12-31-2006

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Thank you Queen-Evie.

header follows. It looks legitimate to my limited knowledge, but I dont trust headers very much....

I edited out my email address from the 'to' line.

---------------------------------------------------------------------

 Return-Path: online.communications@alerts.comcast.net
Received: from imta33.westchester.pa.mail.comcast.net (LHLO
 imta33.westchester.pa.mail.comcast.net) (76.96.59.218) by
 sz0072.wc.mail.comcast.net with LMTP; Tue, 16 Feb 2010 20:39:20 +0000 (UTC)
Received: from qmta02-mdp.westchester.pa.bo.comcast.net ([76.96.68.102])
    by imta33.westchester.pa.mail.comcast.net with comcast
    id ikcc1d01G2CPKCC0ZkfLnq; Tue, 16 Feb 2010 20:39:20 +0000
X-CAA-SPAM: T00000
X-Authority-Analysis: v=1.1 cv=w8Ou+MvQaTnYX8W+/AaSZuuwFfVYGkfjiWtXZV1Ao5U=
 c=1 sm=1 a=XmocPYQtzU4A:10 a=Bbu6GzyACCW9MTNo9DNr6Q==:17 a=SSmOFEACAAAA:8
 a=C_IRinGWAAAA:8 a=6MyZ0KW2AAAA:8 a=tUiggMi_4jjrDPK8T1gA:9
 a=1eVCMiajXv8snaA9lb8A:7 a=cGMzKIY0C_bBJm-Iw7vRToHQJaQA:4 a=5fwgZmwvAAAA:8
 a=pvs9McfvB0NgV1GntCYA:9 a=lRGJrMB2pnCyRiooOD8A:7
 a=UGp2Z6i52F5bNT61qEV-PLQIANEA:4 a=0wZyaj0JoPsA:10 a=ufBmZfYY3bRfrWIJ:21
 a=ygAfWYtly5axzFHC:21 a=2rzPSNuY41LahjFaOe2+MA==:117
Received: from omta02-mdp.westchester.pa.bo.comcast.net ([76.96.53.12])
    by qmta02-mdp.westchester.pa.bo.comcast.net with comcast
    id iiSd1d00G0FoFkC01ke5xY; Tue, 16 Feb 2010 20:38:05 +0000
Received: from PACDCMSSAPP02 ([68.87.97.254])
    by omta02-mdp.westchester.pa.bo.comcast.net with bizsmtp
    id ikdU1d0025VJHpw06ke5Z7; Tue, 16 Feb 2010 20:38:05 +0000
X-EventId: [EventId:6549966:/EventId]
MIME-Version: 1.0
From: "Comcast Online Communications" <online.communications@alerts.comcast.net>
Sender: "Comcast Online Communications" <online.communications@alerts.comcast.net>
To: <NOTE - My email address edited out >

Reply-To: "Comcast Online Communications" <online.communications@alerts.comcast.net>
Date: 16 Feb 2010 15:38:04 -0500
Subject: =?utf-8?B?SW1wb3J0YW50IC0gQWN0aW9uIFJlcXVpcmVkIHRvIE1haW50YWluIFNlY3VyaXR5IFN1aXRlIEJlbmVmaXQ=?=
Content-Type: multipart/alternative;
 boundary=--boundary_1096896_3af04c64-9f44-4e46-9219-517687b1adbe

 

Bronze Star Contributor
npersn31
Posts: 389
Registered: ‎01-01-2008

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Queen-Evie,

I got one too and asked CWH803 about it. CW said to send it to Comcast George which I did.

npersn31

Security Expert
CWH803
Posts: 5,341
Registered: ‎09-25-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

[ Edited ]

%#!*&$$!   

 

Can you imagine an e-mail that looks like it came from your ISP that says "We changed something" and you can "Click Here" to take advantage of that change?

 

&%%!$$23  &^^%$@1!

 

Can you imagine an e-mail that actually came from your ISP that says "We changed something" and you can "Click Here" to take advantage of that change?

 

**&@$!! $@**^#~!!  !%&$## @**^@&# $*#^^!! +

 

Only an ISP fool would actually send such an e-mail message and expect customers to click the "Click Here".

 

$&#$@!!!!

 

Only a fool would actually click on the "Click Here".

 

But I haven't received the e-mail in question via my Comcast E-mail inbox. I could be misinterpreting the e-mails content and appearance.

Message Edited by CWH803 on 02-17-2010 09:21 AM

Signature: 127.0.0.1, Sweet 127.0.0.1 and I recommend all of these Anti-malware tools and Procedures. (updated May 2010)
Security Expert
CWH803
Posts: 5,341
Registered: ‎09-25-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Seems that using E-Mail that resembles a phishing attempt is common from Comcast.  See one from Comcast about  "Subject: Usage Meter: Pilot Launch".

 

Note that the Subject field in the post of the headers from the "McAfee->Norton" message above this post seems to be an executable.


Signature: 127.0.0.1, Sweet 127.0.0.1 and I recommend all of these Anti-malware tools and Procedures. (updated May 2010)
Bronze Problem Solver
lunski
Posts: 1,757
Registered: ‎09-03-2008

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit


npersn31 wrote:

Queen-Evie,

I got one too and asked CWH803 about it. CW said to send it to Comcast George which I did.

npersn31


hello np and all posters.

 

please forward me these emails, afterwards please delete them.

 

as a reminder, comcast will never ask for personal information.

 

please email to my address below.

 

thank you.

George Lunski
"Retired" Comcast Help Forums Administrator
Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit


CWH803 wrote:

Note that the Subject field in the post of the headers from the "McAfee->Norton" message above this post seems to be an executable.


No, it's just base64-encoded UTF-8 text, which his mail reader decoded and displayed as the subject he posted. The body of the message is probably also encoded, which is why it didn't look readable when he viewed the source.

 

Security Expert
CWH803
Posts: 5,341
Registered: ‎09-25-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Barmar,  Thanx for encoding explanation.

 

From the Headers posted above in the "McAfee->Norton" message does that message appear to actually be from Comcast as it seems to me to be?


Signature: 127.0.0.1, Sweet 127.0.0.1 and I recommend all of these Anti-malware tools and Procedures. (updated May 2010)
Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

It appears to be legit, yes.
Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

The originating Received line says:

 

Received: from PACDCMSSAPP02 ([68.87.97.254])
    by omta02-mdp.westchester.pa.bo.comcast.net with bizsmtp

    id ikdU1d0025VJHpw06ke5Z7; Tue, 16 Feb 2010 20:38:05 +0000

 

68.87.97.254 appears to be in Comcast's Philly datacenter, which suggests it's really from Comcast.

Visitor
Posts: 4
Registered: ‎12-31-2006

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

I agree it looks legitimate based on the header, but can't a header be spoofed?

 

<rant on>

I would MUCH rather comcast sent me an UNENCODED email and direct me to a comcast website ( and no, I would not click a link if that were embedded in the email without inspecting it first).

 

If this was a legitimate email, shame on comcast. So far 3 or 4 different service reps have had this brought to their attention, and none was aware of the email or could verify it. If it had just been sent without the encoding I could/would have opened it and at least found out what it is for. 

 

One of the first security  rules I learned was to be suspicious of unexpected email ... and this one sure looked suspicious.

< rant off>

 

Mac Expert
Joel
Posts: 5,829
Registered: ‎12-01-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

I think you're misunderstanding the meaning of the word "encoding". All data in this part of the world uses primarily 2 types of character encoding: UTF-8 or "Unicode", or ISO-8859-1 or "Western". Basically, when this information is contained in the header of a webpage, text document, email, etc. it tells the program displaying the text how to display each character. When conflicts arise, that is when you see strange characters or symbols, usually in place of punctuation marks or other characters. Unicode is more widely used these days because of its support for international languages and the fonts necessary to render them. Older operating systems, browsers, and email programs lacked support for Unicode; in these cases they will fall back on Western but may not render content properly.
Security Expert
CWH803
Posts: 5,341
Registered: ‎09-25-2003

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

"In the second half of 2009, the number of spam messages sent per day skyrocketed from 600 million to three billion, according to new research." 

 

Don't click on any link in an e-mail message you didn't expect or can't vet. Unless, of course, you have subscribed to e-mail notices from Comcast.

 

"Malicious spam--messages that carry some sort of malware or a pointer to a malicious site--was a huge problem in the last six months of 2009.  The major botnets were the main culprits, using the millions of compromised machines as spam-spewing zombies."

 

Don't click on any link in an e-mail message you didn't expect or can't vet. Unless, of course, you have subscribed to e-mail notices from Comcast.

 

Text in quotes is from:  February 16, 2010, 10:22AM
Malicious Spam Jumps to 3 Billion Messages Per Day by Dennis Fisher

Copyright © 2010 threatpost.com  Kaspersky Lab’s Security News Service

 

And of course, I don't have to tell you, Don't click on any link in an e-mail message you didn't expect or can't vet. 


Signature: 127.0.0.1, Sweet 127.0.0.1 and I recommend all of these Anti-malware tools and Procedures. (updated May 2010)
Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Some headers can be spoofed, some can't.  The Received header inserted by your own SMTP server can't be spoofed. And if you trust the server that it received from, you can believe the Received header that it added. This chain of trust continues until you get to a server that you don't know the reliability of.

 

In the case of this email, the entire chain of servers belong to Comcast, so the originating IP can be trusted. 

Visitor
Posts: 4
Registered: ‎12-31-2006

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Thank you barmar, that helps.

 

If I may take advantage of your knowledge a bit more, can you comment on what I currently do when looking at a suspicious email?   Is this effective & safe, or am I wasting my time, and is there a better way?

 

Currently I use Outlook Express, and have set to read messages in text, not html.

If there is an email that looks suspicious but which also looks important, then I don't open it, instead I right-click it, open properties -> details, look at the headers, and if they look reasonable then I click on the 'Message Source'

Most of the time the source is encoded in something that has a lot of human readable content, and I decide from there whether to 'really' open the email.

 

 

Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

Your practices are quite prudent.

 

As we've seen, it can sometimes take quite a bit of experience to tell when something that looks hinky is actually safe, and you should probably assume the worst. If you're unsure, post here and we can help. 

Visitor
Posts: 1
Registered: ‎02-24-2010

Re: Legitimate? : Comcast Online communication: Action required to maintain security benefit

I got this, too, or something very much like it.  Shame on Comcast for sending this out (if it is real--I'll send a copy to Comcast George for verification)!  I did the live chat thing and was told that, yes, we're switching, leaving me to believe I can just click on the link. Their support people should know better than to give an answer like this.  This a classic phishing set-up.  Any provider should be telling their customers not to click on a link in an unsolicited e-mail!  Instead, Comcast is training their customers that it is OK to do so by sending this nonsense to them and expecting them to just click on the link...  I know how this stuff happens in a big company--marketing can be clueless on technical issues, and nothing is reviewed for security before it's sent out.  The way to cure it is for Comcast George to talk to some of the heavy hitters in the security dept., and ask them to please find the people responsible for sending this out and teach them what the word phish means and tell them to NEVER DO IT AGAIN!

 

OK, I just reread the last paragraph, toned it down a bit, and tried to make it a bit more constructive.  But I'm leaving the gist of it in because Comcast deserves to be chastised over this one.

Security Expert
LoPhatPhuud
Posts: 2,805
Registered: ‎11-01-2005

Re: Legitimate? : Comcast Online communication: Action required to maintain security