The Invisible Blacklist, Comcast

When migrating websites to Anchor Hosting it’s somewhat common that I’m also performing malware cleanup. I suppose if your web host doesn’t take responsibly of malware infections then you should take a hint and find a new web host. Did I mention I offer free malware cleanups with web hosting? Well I do 😀.

Recently I dealt with an especially tricky malware situation involving Comcast and blacklists. This is that story.

How blacklists are support work

There are many different security firms that track infected websites. If your website gets infected with malware it’s likely that one or more security firms will flag it in their database as such. This is a good thing as it protects folks from accidentally opening a harmful website. However once a website is clean, we need to notify the appropriate security firms to remove the website their blacklist.

You can use a tool like VirusTotal to check the status of a website with many popular security firms. Each security firm is independently operated and has to be individually contacted for removal. Most of them have a “False Positives” form and are very responsive. Typically after 2-3 days of submitting forms it’s possible to get a clean VirusTotal scan. Having a clean report gives you a high level of confidence that your website is viewable to anyone who requests it.

VirusTotal report for a clean website

All was good until I ran into a seemingly random DNS issue with certain Comcast customers.

So far my strategy of cleaning up an malware infection and reaching out to various security vendors to remove sites from their blacklist has worked flawlessly. Until Comcast. Recently one of my new customers reported having issues viewing their own website from their office location. I started by reaching out to the 3 or 4 security firms which had it in their blacklist. After a few days everything was reporting clean. However that didn’t resolve issues the customer was having at their location.

Next I reached out to their IT folks to confirm they were indeed viewing the proper website. Some IT firms will store the IP address of the web server in their local network which means internally they might be attempting to view their own website from the old host provider, which is likely still infected with malware. However, that wasn’t the case. In fact, the IP inside the customer’s network wasn’t going to either the old server or new one.

At the same time we received reports from various other random visitors with the same issues. All of them were using Comcast as their internet provider. The bizarre thing was I couldn’t reproduce it at my house or work, both also on Comcast. I didn’t immediately think it was an issue with the ISP and thought maybe it was some odd internet routing issue? Either way I decided to reach out to Comcast via the customer’s own Comcast Business account for help.

Comcast blacklists are well hidden and difficult to discover.

As soon as I signed into Comcast Business I saw the problem. Comcast’s own security system was blocking all requests to the customers’ own website.

Apparently Comcast has their own blacklist which gets applied but only to certain Comcast customers:

Comcast security does not appear to be incompatible for customers who supply their own modem. That is why everything was working at my home location as I purchased my own modem. In order to workaround the block I was able to disable SecurityEdge. Right away this customer was able to access their own website from their office location.

Requesting removal from Comcast’s blacklist

You can report a website to be removed from Comcast’s blacklist here: https://spa.xfinity.com. My first request for removal was followed up with an automated email as shown below. However 3 business days came and went and no change. So I had my colleague also send in a request for removal along with another attempt to remove from my end.

Meanwhile, while waiting for Comcast to remove the site from the blacklist, there doesn’t appear to be any way to see the status of Comcast’s blacklist. Unless you’re a Comcast customer, with a supplied Comcast modem and Comcast security enabled, there is really no way to verify if a domain is being blocked or not. That means Comcast is managing an invisible blacklist which doesn’t appear to be tied to any public facing security firm.

Dear Comcast, please improve your blacklist.

Just as other security firms handle blacklists, Comcast needs to either provide a method for reviewing domain status or not maintain their own blacklist. It’s irresponsible to block domains without a direct way for owners of the domain to take action and have it removed. The current method of removal using spa.xfinity.com is not good enough. Alternatively Comcast security should hook into a more well known blacklist. Preferably one that is also picked up by VirusTotal.

After many submissions to spa.xfinity.com and many phone calls to Comcast Business support, the domain block magically disappeared. No one from Comcast responded saying it was fixed. The only advice I can give is to just keep bugging Comcast until someone fixes the issue. Either way I hope this story helps someone else who is experience the same thing with their website.