(You got other good advice; I'll try to avoid being redundant.) This looks like it really came from comcast's servers, but it's hard to read headers that have been miswrapped.
I tend to tweak up scores of rules that fire on spam that slips through, and tweak down scores of rules that misfire on ham. I would recommend running spamassassin -t on this to see what points are from what rules; the passing score doesn't show this but if you use -t you'll see it all at the end. RCVD_IN_DNSWL_HI really seems strange. Perhaps comcast has separate IP blocks for mail from them, and mail from customers (verizon for example, back when they did customer mail, had verizon.com and verizon.net, which I suspect had separate MTAs). I really don't understand DNSWL listing criteria for HI, but to me that should indicated that there is a vanishly small chance of spam, and that more or less means only company-originated mail, and definitely not mail sent by random customers some of whom might have compromised accounts. So I would look to moderate the negative score from DNSWL_HIGH, as you have a counterexample to the ham-only theory.
signature.asc
Description: PGP signature
