Dealing with spam in RT queues

Damian_Gerow · October 23, 2003, 8:03pm

Has anyone developed something to deal with the volume of spam that makes it
in to RT queues? We have a system that keeps spam /out/ of the RT queues,
but we can’t apply it to abuse@. I’m looking for a way to report the
message as spam easily.

bill · October 24, 2003, 4:15am

Has anyone developed something to deal with the volume of spam that makes it
in to RT queues? We have a system that keeps spam /out/ of the RT queues,
but we can’t apply it to abuse@. I’m looking for a way to report the
message as spam easily.

We use ASK (http://www.paganini.net/ask/) in front of our abuse queue.

Spam complaints from real people get through and we have whitelisted spam
reporting services like Spamcop. Actual spam from spammers never makes it
through since they never answer the confirmation. It has been very
effective.

Bill

<=> ASK and you shall receive <=>

Damian_Gerow · October 24, 2003, 4:35pm

Thus spake bill@daze.net (bill@daze.net) [24/10/03 00:15]:

Has anyone developed something to deal with the volume of spam that makes it
in to RT queues? We have a system that keeps spam /out/ of the RT queues,
but we can’t apply it to abuse@. I’m looking for a way to report the
message as spam easily.

We use ASK (http://www.paganini.net/ask/) in front of our abuse queue.

Spam complaints from real people get through and we have whitelisted spam
reporting services like Spamcop. Actual spam from spammers never makes it
through since they never answer the confirmation. It has been very
effective.

I can’t filter our abuse queue – we get far too many automated complaints
that don’t have a valid return address (or at lest, nobody ever responds to
messages sent to the return address). We have our own custom spam filtering
system on every other queue, but it breaks the Abuse queue.

bill · October 24, 2003, 9:25pm

I can’t filter our abuse queue – we get far too many automated complaints
that don’t have a valid return address (or at lest, nobody ever responds to
messages sent to the return address). We have our own custom spam filtering
system on every other queue, but it breaks the Abuse queue.

I’m curious. What kind of automated complaints do you receive? How to
you respond to the person complaining?

I’m guessing the automated complaints are perhaps like those received from
SpamCop and other services. We have whitelisted known services like
SpamCop so they are “pre-approved/pre-confirmed”. If we notice a new
service in our weekly unconfirmed queue report, we whitelist them and
release the complaint from the queue. This happens very rarely.

Our stats show that 95% of the mail to our abuse@ address is spam. 4% is
generated by SpamCop’s parser thinking our mail server originated mail
received by our customers and 1% is legitimate spam complaints from
individual users or reporting services. Luckily our customers hardly ever
spam.

Regards,
Bill

<=> ASK and you shall receive <=>

Damian_Gerow · October 24, 2003, 10:19pm

Thus spake bill@daze.net (bill@daze.net) [24/10/03 17:25]:

I can’t filter our abuse queue – we get far too many automated complaints
that don’t have a valid return address (or at lest, nobody ever responds to
messages sent to the return address). We have our own custom spam filtering
system on every other queue, but it breaks the Abuse queue.

I’m curious. What kind of automated complaints do you receive? How to
you respond to the person complaining?

Spamcop and myNetWatchman are by far the two most popular. Then there’s
things like EarlyBird and its ilk, and finally there’s a number of people
who have home-brewed systems. The requestor address is something like
‘noc+38267.23827.392@’, or ‘bob+372237jasf7jaf@’ or ‘sentex-ip.add.re.ss@’.

What I’m really afraid of is the people who are already irate when they send
us a complaint (albeit generally invalid – things like ‘Why is your router
sending me ICMP_PORT_UNREACH messages? Make it stop or I’m calling the
FBI!’). I don’t want to make them jump through any more hoops than they
absolutely have to, in order to make a complaint.

I’m guessing the automated complaints are perhaps like those received from
SpamCop and other services. We have whitelisted known services like
SpamCop so they are “pre-approved/pre-confirmed”. If we notice a new
service in our weekly unconfirmed queue report, we whitelist them and
release the complaint from the queue. This happens very rarely.

For Spamcop and myNetWatchman, yes, it is easy to whitelist. For the rest
of them, it’s not so easy. And with the volume of spam we get into abuse@,
I really don’t want to have to wade through all the spam anyway. The point
of looking for a ‘Report as Spam’-type thingy in RT is to /reduce/ the work
needed to resolve tickets, not increase.

Yes, yes, I know – I should stop whining and write it myself. When I find
the time, that’s what I’ll do. I’m just hoping to avoid a wheel
reinventation.

Our stats show that 95% of the mail to our abuse@ address is spam. 4% is
generated by SpamCop’s parser thinking our mail server originated mail
received by our customers and 1% is legitimate spam complaints from
individual users or reporting services. Luckily our customers hardly ever
spam.

We’re looking at something similar – on a given day, I’ve seen anywhere
from 60% to 90% of mail (by volume) sent to our queued addresses is spam,
excluding abuse@. I would say less than 10% of mail sent to abuse@ is
actually valid (i.e. not spam), and the number of actual, valid abuse
complaints is about 70% of that.

And they say that spamming doesn’t cost anyone money.