More Dangerous Spam to In-Box

I also received this email, and it looks pretty phony.  Glad I was smart enough to delete it.

"How is it POSSIBLE for the Comcast spam filters to allow this through to customers' inbox"

Easily actually.  What you didn't post is the email header that would show where it came from. It may be from someone spoofing the source, or it may not have been.  Depending on how draconian their servers are setup, that may or may not have rejected it outright.

I wouldn't judge to hasty on this one.

If it is actually a gmail account from their network, it would look legit with a DKIM signature.  DNS checks would work.  And you can create a list and send to xfinity email addresses using BCC's for group lists.  It's a feature actually listed on gmail.  Pretty easy to automatically create drop burner gmail accounts and move on when burned.  The email itself X-SPAM score keywords wouldn't even register very high with bayesian predictive spam filters.  Spammers do that on purpose.

Your only real giveaway with this spam is the obvious hyperlink, but you could have missed that had they had done something like <a href="http://evil_domain.com">Comcast We're the Good Guys</a>  to cover the goofy random looking link.

But by far the best phishing hostile and dangerous emails?  Hyperlinks embedded in images.  If you check your email in a web browser, you may even accidentally click on them.  Email clients with preview panes may open them without any user intervention at all -- if you've allowed the client to download images.

Careful out there in the weberverse.  NEVER RESPOND to BANKING or FINANCIAL EMAIL of ANY KIND.  Do Not Use Phone Numbers In Emails.  You won't be talking to who you think you are. 

pmell20 wrote:
> I also received this email, and it looks pretty phony.
> Glad I was smart enough to delete it.

[The below is in case you had the <sarcasm> element on.]

I'll bet you are. Out of character.

A careful reading of my post shows that my concern is for those who would be fooled by it. I mentioned the elderly and non-computer savy. The U.S. has 330 million people. One percent would be more than three million. And they get little to no help from Comcast.

flatlander3 wrote:

> What you didn't post is the email header that would show where it came from.

Return-Path: < daraallen 101 @ gmail . com >
Delivered-To: [our comcast email address]
Received: from dovdir4-hob-06o.email.comcast.net ([96.114.154.151])
 by dovback4-hob-23o.email.comcast.net with LMTP
 id GHLIDBTET2DcbgAAGmw+kw
 (envelope-from <same gmail address as above>)
 for <[our comcast email address]>; Mon, 15 Mar 2021 20:31:16 +0000
Received: from dovpxy-hoa-02o.email.comcast.net([96.114.154.151])
 by dovdir4-hob-06o.email.comcast.net with LMTP
 id YGFDChTET2DBCgAA4xkQgg
 (envelope-from <same gmail address as above>)
 for <[our comcast email address]>; Mon, 15 Mar 2021 20:31:16 +0000
Received: from resimta-po-02v.sys.comcast.net([96.114.154.151])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 by dovpxy-hoa-02o.email.comcast.net with LMTPS
 id cGBEBBTET2BwOAAA9Bdy1A
 (envelope-from <same gmail address as above>)
 for <[our comcast email address]>; Mon, 15 Mar 2021 20:31:16 +0000
Received: from mail-io1-xd2f.google.com ([IPv6:2607:f8b0:4864:20::d2f])
 by resimta-po-02v.sys.comcast.net with ESMTP
 id LtrklHlGcFvcZLtrvlcRiQ; Mon, 15 Mar 2021 20:31:15 +0000
X-CAA-SPAM: F00000        <--- it's marked as not spam
X-Xfinity-VAAS: blah blah blah
X-Xfinity-VMeta: sc=40.00;st=legit
X-Xfinity-Message-Heuristics: IPv6:Y;TLS=1;SPF=1;DMARC=P
X-Comcast-SMTP-Spoor: http://gmail.com http://mail-io1-xd2f.google.com
Authentication-Results: resimta-po-02v.sys.comcast.net;
 dkim=pass header.d=gmail.com header.b=rS3Kd2K+
Received: by mail-io1-xd2f.google.com with SMTP id n14so34869285iog.3
        for <[our comcast email address]>; Mon, 15 Mar 2021 13:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=NRTBgtVLe6rFaCJCVHHXKjFLsUztRrN0ynDmD7KGp/Q=;
        b=rS3Kd2K blah blah blah
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=NRTBgtVLe6rFaCJCVHHXKjFLsUztRrN0ynDmD7KGp/Q=;
blah blah blah
X-Gm-Message-State: AOAM530sdyNdlPrlYlsCOn5MWvBsboBHLriWVkmZAugoM895fjzycA9a
 5cBRA9TvKnMYrae9O3WKky/+GdKSHUguf3Ze4rc=
X-Google-Smtp-Source: ABdhPJxYc0XMYG5DcLvx+RvDArCR0ifIl17vJfPwp5pagudS9neTvFI9u3OuZfKPa3bf7dsBKBFCJ8lCR8Tm0uzyiTQ=
X-Received: by 2002:a5d:9917:: with SMTP id x23mr1021099iol.22.1615840264052;
 Mon, 15 Mar 2021 13:31:04 -0700 (PDT)
MIME-Version: 1.0
From: Management <same gmail address as abov>
Date: Mon, 15 Mar 2021 13:30:54 -0700
Message-ID: <CAGvcQXEdr7_BtjaOnV-y-cDKrC6c_4sPjGmRTkJm5igAh9jgdA@mail.gmail.com>
Subject: =?UTF-8?Q?We_have_a_new_update_=E2=9C=85?=
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary="000000000000f3e65405bd992020"
Bcc: [our comcast email address]

Perhaps you misunderstand, and I was probably less than helpful explaining it.  For that I apologize.

The trouble is the spam detection.  A human looks at that and says immediately, SCAM!!  A machine says:  Well....the source is legit (it was in this case), there's a hyperlink....I'll add a naughty point for that, but the formatting doesn't trip anything else.  There aren't any bad words, or context phrases I'm looking for.  It's a one off, that doesn't match examples in my current database set, or my heuristics algorithm.....The message is short.  There just isn't much for a filter to work with.  I'm going to send it.  The machine learning context part -- that's hard.  At some point, AI 'should' put it together that gmail doesn't send Xfinity corp email....but nobody has that now.  Compounding that, is multiplying the problem by 10's of millions of times.

Another big problem you see on the boards here a lot, is email getting rejected people actually want.  Lists, groups, information people want and have subscribed to, random domains, and even domains they own with good reputations hosted on providers with blocks with good reputations.  It's not an easy problem.  I have the same problem with hosted domains I own and my own draconian filters rejecting messages, and have seen similar spam as your example from hit and run spammers using compromised and non-compromised sources.

What you can do, is help make us all better at filtering it as a community.  There is a lot of collaboration on spam out there.  When you get these hostile ones on your Comcast account, send it to security as an attachment here:  https://internetsecurity.xfinity.com/help/report-abuse  Databases of these are extremely useful for dev teams.  Also very useful for security teams if they're getting hit with duplicates and if it's something really malicious they want to purge.  They also have the corp weight, and the server logs to make contact the source.