Limiting SPAM into rt2 system

Hi,

This is more of a general implementation question, but I am looking to
upgrade out current bug-tracking system from RT1 and req, to a integrated
RT2 system, using PostgreSQL as a database backend.

One question I do have, one requirement that we do have is that we accept
bug reports via email. While this makes it easier (we think), it opens us
up to spam… large amounts of spam… REALLY large amounts of spam on a
daily basis (as these bugs aliases are very well known in the Internet
community, we are on every known spammers list). We even have the
occasional mail-loop to provide fun for one and all.

Are there ways in the mail gateway abilities in RT2 to prevent this?
Something like a cookie-based system, where you have to confirm your bug
submission before it gets entered into the db? Or are their other ways
other RT admins have dealt with this issue?

Thanks for your input… :slight_smile:

-Peter
Peter_Losher@isc.org - Internet Software Consortium - http://www.isc.org/

Personally, I’d recommend using a system like the RBL to limit the spam
getting into your systems. I suspect that the ISC can probably negotiate a
discounted RBL contract :wink:

-jOn Mon, Dec 03, 2001 at 11:59:14AM -0800, Peter Losher wrote:

Hi,

This is more of a general implementation question, but I am looking to
upgrade out current bug-tracking system from RT1 and req, to a integrated
RT2 system, using PostgreSQL as a database backend.

One question I do have, one requirement that we do have is that we accept
bug reports via email. While this makes it easier (we think), it opens us
up to spam… large amounts of spam… REALLY large amounts of spam on a
daily basis (as these bugs aliases are very well known in the Internet
community, we are on every known spammers list). We even have the
occasional mail-loop to provide fun for one and all.

Are there ways in the mail gateway abilities in RT2 to prevent this?
Something like a cookie-based system, where you have to confirm your bug
submission before it gets entered into the db? Or are their other ways
other RT admins have dealt with this issue?

Thanks for your input… :slight_smile:

-Peter

Peter_Losher@isc.org - Internet Software Consortium - http://www.isc.org/


rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.

Personally, I’d recommend using a system like the RBL to limit the spam
getting into your systems. I suspect that the ISC can probably negotiate a
discounted RBL contract :wink:

We already do use the RBL, and have for a long time :wink: While it does a
good job in a lot of respects, a lot of spam still gets through. (A lot
of it new spam that hasn’t yet been added to the RBL database). Then
there are the broken MTA’s/autoresponders that make my life… er um.
interesting. (looping mail, oh fun)

-Peter
Peter_Losher@isc.org - Internet Software Consortium - http://www.isc.org/

Yeah, I second that. I’m using procmail to filter out emails and the hand
off the the real RT address.

Personally, I’d recommend using a system like the RBL to limit the spam
getting into your systems. I suspect that the ISC can probably
negotiate a

One question I do have, one requirement that we do have is that we accept
bug reports via email. While this makes it easier (we think), it opens us
up to spam… large amounts of spam… REALLY large amounts of spam on a
daily basis (as these bugs aliases are very well known in the Internet
community, we are on every known spammers list). We even have the
occasional mail-loop to provide fun for one and all.

I’ll raise you one. We get people whinging about spam mail that they’ve
received, in addition to receiving the sodding crap. And they’re not very
polite about it either.

Are there ways in the mail gateway abilities in RT2 to prevent this?
Something like a cookie-based system, where you have to confirm your bug
submission before it gets entered into the db? Or are their other ways
other RT admins have dealt with this issue?

On a slightly serious note, maybe a ‘white’ listing approach would work,
similar to the spamcop once-off of:

Your address is not recognised.  Please confirm it by replying to
this message, then we'll process your mail/bug report.

Elsethread, someone mentioned procmail… looking at the procmailex man
page, this seems trivial to implement… Actually, I’ve spent 10 minutes
or so and the below is the (untested) result - if it doesn’t make sense,
read the procmail man pages before asking :wink:

Have fun.

– Main rt procmail protection
:0 :sender.chk
* !^FROM_MAILER
* !^X-Loop:.*RT
* ^TO_rt_address
{
:0 Whc: sender.chk
| formail -rD 81920 sender.cache

  # If the address wasn't in the cache.
  :0 e
  {
	# Get a random identifier.  1 line
	THISID="`perl -e '$frflag=0;while(<>)next

if($frflag>0);next
unless(m/^From\s(\S+)\s\s\S+/);$add=$1;$frflag=1;$crstr=rand(8192) . $add
. rand(16234);$lprt=crypt( $add, “rt”);print “$lprt\n”;}’`"

	# Send back the identifier.
	:0 hc
	| (formail -r -I"Precedence: junk"\
		-A"X-Loop: RT-auth-loop" \
		-I"From: rt-auth@your-domain" \
		; \
		cat std_auth_self_template | \
		sed -e "s/IDENTIFIER/$THISID/g" ) | \
		$SENDMAIL -t

	# Save the message in a spot indicated by the identifier.
	# perl 'crypt' function should be pathname safe.
	:0
	maildir/$THISID
  }

  # Address was in the cache - Send it on to RT.
  :0Whc: fastloop.chk
  | formail -rD 128 fastloop.cache

  # Address wasn't in the small fast-loop cache
  :0e
  | rt-mailgate

  # Address was in the fast loop cache.  Don't send an auto-ack
  # in case this is a fast loop.  Downside is that if this is a
  # slow ticket queue, multiple issues from one person will not be
  # acked until someone else emails the ticketing system.  You
  # could put a crontab to delete the fastloop.cache file every
  # 30 minutes I guess.
  :0
  | rt-mailgate -no-auto-ack-whats-the-flag-for-this?
}

# Deal with mails from mailer daemons and possible loops
:0
* ^TO_rt
| rt-mailgate -no-auto-ack-whats-the-flag-for-this?

# Mails not to RT, but received
:0
! human_person

— std_auth_self_template

Hi there,

Thankyou for emailing Example.Com, the organisation proudly used
for examples the world over.  Our Marketing people insist that we
plug our website, at http://www.example.com/ .

So that we can serve *you* better, (and so we're not wasting our
time by dealing with spam mail), we'd like to ask you to do
something special for us.  We have put your original message to
one side, where it will be kept nice and secure until we've got
this trifling administrative detail out of the way, or a week
passes.

Please verify that you are a human, and not some annoying spam
mail, by replying to this message, making sure that you include
the line below.

	Random-Auth-ID: IDENTIFIER

Please send your reply to 'rt-auth@example.com'.  Once we receive
this, we will send your original message onwards to our shiney
tracking system, where we'll keep your original date and time of
sending.

If you need to interact with us (and we hope you do) beyond the
items outlined in your message, we will recognise your address the
next time, and not ask you to prove your existence again.

Yours in hopeful existence-certainty:

	Example.Com
	Proud Makers of Example Texts Everywhere.

—RT-auth procmail snippet

# Find the identifier in the mail - 13 chars is what crypt
# returns?  Note we don't bind to the start of the line, as
# too many people misunderstand forward (^), reply (^>\s+) or
# other requests.  As long as its in the body, as-is, its fine.

FOUNDID="`perl -e '$found=0;while(<>){next if( $found >

0);next unless(m/Random-Auth-ID:\s*(\S{13,13})\s*/i;$lprt=$1;if(
$lprt =~ /^[A-Za-z0-9]+$/){$found=1;print “$lprt\n”;}}’"

# See if its there.
:0
* ? test -f mail/$FOUNDID
{
  # The file exists.  Send this file on.
  :0
  * ? cat mail/$FOUNDID | formail -s $SENDMAIL -t
  * ? rm mail/$FOUNDID
  | ( formail -r -I"Precedence: junk" \
	-I"X-Loop: RT-auth@your.domain" \
	; \
	cat std_auth_ack ) | $SENDMAIL -t

  # Some error occured.  Bounce to a person.
  :0
  ! human_person
}

# They had no identifier there.
:0 Whc
| ( formail -r -I"Precedence: junk" \
	-I"X-Loop: RT-auth@your.domain" \
	; \
	cat std_no_auth_found ) | $SENDMAIL -t

# Bounce it to a human just in case.
:0
! human_person

— Cronscript to clean up old auth files - your xargs may not support
this flag.

Find files older than 7 days.

5 */8 * * * find mail -mtime +7 -print | xargs --no-run-if-empty rm

— Are you still reading this far?

                         Bruce Campbell                            RIPE
                                                                    NCC
                                                             Operations

We already do use the RBL, and have for a long time :wink: While it does
a
good job in a lot of respects, a lot of spam still gets through.

Well, the other day I got the message below. It’s from a system whereby
you have to reply once to be added to the accepted addresses list. When
you answer, the mail is delivered, and your address is kept and you
won’t be asked to confirm again. Otherwise the mail is not delivered.

[ This notice was generated by TMDA v0.41 http://tmda.sf.net/,
an automated junk-mail reduction system. ]

The homepage is actually:

http://software.libertine.org/tmda/

Would that kind of thing be an option?

Marcus

It occurs to me that perhaps adding some kind of RBL support into RT
itself such that there was no need to depend on the MTA for spam
filtering could be a useful thing?

R.

I believe pretty firmly that something like that should be in a filter
in front of RT, either in your MTA or in procmail. Though, as always, good
code or good money are really good at influencing me :wink:

-jOn Mon, Dec 03, 2001 at 06:32:59PM -0500, Richard Soderberg wrote:

It occurs to me that perhaps adding some kind of RBL support into RT
itself such that there was no need to depend on the MTA for spam
filtering could be a useful thing?

R.


rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.

Has anyone looked into implementing spambouncer
(http://www.spambouncer.org/) in front of RT?

At 12:34 PM 12/3/2001 -0800, you wrote:

We already do use the RBL, and have for a long time :wink: While it does a
good job in a lot of respects, a lot of spam still gets through. (A lot
of it new spam that hasn’t yet been added to the RBL database). Then
there are the broken MTA’s/autoresponders that make my life… er um.
interesting. (looping mail, oh fun)

“The power to untie is stronger than the power to tie.”

Well, yeah, otherwise my shoes would tie themselves.

Russ Johnson
Stargate Online

http://www.dimstar.net
telnet://telnet.dimstar.net
ICQ: 3739685

This suggestion will obviously not be applicable to all (many?)
situations, but if you have your users’ information be available in an
external datasource such as LDAP, you can simply define the
$LookupSenderInExternalDatabase and $SenderMustExistInExternalDatabase
options in config.pm. This setting ensures that only tickets are created
for known (to your external datasource) users. Otherwise, the incoming
request will bounce with the AutoRejectRequest template, if defined, or a
generic response.

Regards,
Christian

Christian Gilmore
Team Lead
Web Infrastructure & Tools
IBM Software Group

Are there ways in the mail gateway abilities in RT2 to prevent this?

I second the TDMA approach which we will be testing RSN, it’s essentially a
"double opt-in" technique. Bug submitters would get a "please confirm"
message.

TDMA would be downstream of the usual restrictions in, say, postfix.
postfix would scrub 90% of the crap with RBL, DNS validations, protocol
enforcement (no SMTP command pipelining, ehlo required). Whatever gets
through that obtacle course, still has to be TDMA’d.

That approach really ought reduce the spam, imo. And since there aren’t
100’s or 1000’s of you ISC people to teach how to use it …

Len

http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways