RT and Spam

RT Users
1

Hi,

Have setup RT3.0.2 a while ago and been using it since quite happily
within my own department. We’re now proceeding to roll out usage of the
RT system into other departments with additional queues.

We have a large influx of spam on some of these mail accounts and I
gather we won’t be alone in this.

I wondered if anyone would be willing to detail how they handle spam
with RT mailboxes, either if its generally considered better for an
external filter or use things like the integrated SpamAssassin hooks.

One issue that is tending to make us think about external is that every
spam that does arrive and get into RT, even if we set to auto delete
will still get put into the database, as I believe RT doesn’t remove
tickets from the DB, just mark them as deleted. This means the spam
still starts to push the size of the database up, which I’d like to
avoid.

Links into the mailing list would also be appreciated if people would
prefer to supply those as I’m guessing I’m repeating an issue here, but
as of yet I’m still trawling through entries to find information.

Best Regards,
Chris Fewtrell
Systems Developer, ClaraNet UK Email: chris@uk.clara.net

2

Hi,

Have setup RT3.0.2 a while ago and been using it since quite happily
within my own department. We’re now proceeding to roll out usage of the
RT system into other departments with additional queues.

We have a large influx of spam on some of these mail accounts and I
gather we won’t be alone in this.

I wondered if anyone would be willing to detail how they handle spam
with RT mailboxes, either if its generally considered better for an
external filter or use things like the integrated SpamAssassin hooks.

One issue that is tending to make us think about external is that every
spam that does arrive and get into RT, even if we set to auto delete
will still get put into the database, as I believe RT doesn’t remove
tickets from the DB, just mark them as deleted. This means the spam
still starts to push the size of the database up, which I’d like to
avoid.

Links into the mailing list would also be appreciated if people would
prefer to supply those as I’m guessing I’m repeating an issue here, but
as of yet I’m still trawling through entries to find information.


Best Regards,
Chris Fewtrell
Systems Developer, ClaraNet UK Email: chris@uk.clara.net

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

I use a postfix MTA which does some RBL checks:
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Secondly mail passes Spamd from SpamAssassin. I tag mails in the header
only. Then mail passes procmail, I have som automated systems which
handles certain mails, and I use procmail to fetch them. I also use
procmail to drop mails with a very high spam score, and forward
mails with a low spam score to a mailbox outside RT.

If the mail is not spam, its created as a ticket in RT.

I also use SA (SpamAssassins) whitelist quite a lot. Eg. ripe.net mails are
tagged as spam by SA.

/rhb

3

In our company, we use RT only for our support staff. Thus I set up TMDA
http://tmda.net/, which is a challenge-response system : I set it up a
couple of weeks ago, but for the moment it seems to be efficient. I
configured it in such a way that it asks for confirmation just once, then he
stores the confirmed email address in a database file, and every incoming
email address is compared against this file : if it is already present in
the database file, the email is delivered.

.-. Robert GRASSO - CEDRAT S.A.
/v\ 10, Chemin de Pre Carre - ZIRST - 38246 MEYLAN Cedex - FRANCE
// \ Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09
/( )\ mailto:Robert.Grasso@cedrat.com
^^-^^
UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things. – Doug Gwyn
Support service : mailto:support@cedrat.com
Commercial service : mailto:cedrat@cedrat.com
Web site : http://www.cedrat.com

4

This spam config is for Postfix, Procmail, SpamAssassin.

The spamd/spamc is quite easy and straight forward:

Install Spamassassin, create ruleset. I only use write header,
whitelist, and skibrblcheck.
Start Spamd.

From master.cf:
smtp inet n - - - - smtpd -o content_filter= filter:
filter unix - n n - - pipe flags=Rq user=safilter argv=/usr/local/bin/sa-check.sh -f ${sender} – ${recipient}

From /usr/local/bin/sa-check.sh:
#!/bin/sh
/usr/bin/spamc | /usr/sbin/sendmail -i “$@”
exit $?

#Create a user (safilter) whith no password, and change permissions of sa-check.sh
#-r-xr-x— 1 safilter safilter /usr/local/bin/sa-check.sh

From /etc/aliases:

test: “|/usr/bin/procmail -Y /usr/local/etc/RT-test-filter.conf”

RT-test-filter.conf:

QUEUE=“test”
EMAIL="usr@host.com"

:0

  • ^X-Spam-Level: **********
    /dev/null

:0

  • ^X-Spam-Level: *****
    !$EMAIL

:0
|/usr/local/rt2/bin/rt-mailgate --queue $QUEUE --action correspond
This is just one way to do it.

/rhb

5

I’m trying to create my own templates using RT 2.0.15.
From what I’ve read:

http://fsck.com/rtfm/article.html?id=5#228

I should be able to create a simple template (for
example) for new tickets as follows:

===beginning of my new ticket===
A new ticket was created. Here is the body:

$Ticket

===end of my new ticket===

But when the template is used, the “$Ticket” is not
expanded. Instead, I get $Ticket in the body.
Is there something I’m missing?

Thanks!

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

6

Thus spake Chris Fewtrell (chris@uk.clara.net) [04/08/03 07:16]:

Have setup RT3.0.2 a while ago and been using it since quite happily
within my own department. We’re now proceeding to roll out usage of the
RT system into other departments with additional queues.

We have a large influx of spam on some of these mail accounts and I
gather we won’t be alone in this.

I wondered if anyone would be willing to detail how they handle spam
with RT mailboxes, either if its generally considered better for an
external filter or use things like the integrated SpamAssassin hooks.

(Side note: if you Queue abuse@, you can’t filter it. It’s a PITA, and I’m
trying to find a way to filter abuse@ while still providing a useful queue.
No progress yet.)

We use procmail to split things off, which in an of itself, is a great spam
filter. Essentially, we have one set of three recipes for every queue.
Here’s our support queue, for example:

:0
* ^(To|Cc): .*support
{
    :0
    * ^(To|Cc): .*support@
    ${RT-MAILGATE} --queue support --action correspond --url http://rt/

    :0E
    * ^(To:Cc): .*support-comment@
    ${RT-MAILGATE} --queue support --action comment --url http://rt/
}

Then subsequent queues all start with ‘:0E’. At the end of it all, we put
it through TMDA. This means that any message that didn’t have a To: or Cc:
address of any of the correspond or comment addresses configured in RT will
be punted through TMDA for verification. If verification is received, and
we /still/ can’t figure out the proper queue, then we put it into a queue
called Limbo, and just monitor that for new tickets.

That was good for a while, but has its problems. So after we process the
Abuse queue, and before we process any other queue, we run the message
through SpamAssassin (spamc). If it comes back tagged as spam, then we run
it through TMDA. That’s cut down on the volume of spam into RT by like 95%.

7

In our company, we use RT only for our support staff. Thus I set up TMDA
http://tmda.net/, which is a challenge-response system : I set it up a
couple of weeks ago, but for the moment it seems to be efficient.

We do the same thing on our public support e-mail address, except that we
only pass it through TMDA if the message fails one of a few RBL checks.
This means that MOST spam is caught, and that MOST legitimate messages go
through unchallenged. We thought that was appropriate for a support
address, where someone may already be experiencing frustrations about
something else, and won’t always react kindly to another hoop to jump
through to get help. :slight_smile:

We also run a “clean tickets” script that deletes tickets marked as such
(and related tuples) from the database altogether. I believe it’s the one
most recently updated by Jonas Lincoln; you should be able to find it in
the archives.

Chris

8

In our company, we use RT only for our support staff. Thus I set up TMDA
http://tmda.net/, which is a challenge-response system : I set it up a
couple of weeks ago, but for the moment it seems to be efficient.

We do the same thing on our public support e-mail address, except that we
only pass it through TMDA if the message fails one of a few RBL checks.
This means that MOST spam is caught, and that MOST legitimate messages go
through unchallenged. We thought that was appropriate for a support
address, where someone may already be experiencing frustrations about
something else, and won’t always react kindly to another hoop to jump
through to get help. :slight_smile:

We also run a “clean tickets” script that deletes tickets marked as such

Is yours one running on RT3 ? Thats what I am looking for

(and related tuples) from the database altogether. I believe it’s the one
most recently updated by Jonas Lincoln; you should be able to find it in
the archives.

Chris

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Asif Iqbal
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
There’s no place like 127.0.0.1

9

$Ticket

{$Ticket}

Sebastian

Sebastian Flothow
sebastian@flothow.de

Because it reverses the logical flow of conversation.
Why is top posting frowned upon?

10

We also run a “clean tickets” script that deletes tickets marked as such

Is yours one running on RT3 ? Thats what I am looking for

Yes:

http://lists.fsck.com/pipermail/rt-users/2003-June/014444.html

If you’d searched the mailing lists for “removing deleted tickets” and
clicked on the first search result, you would have found that too. :slight_smile:

Chris

11

Sebastian:
Your idea yielded an interesting result. Now I see
the following in the body of my email:

RT::Ticket=HASH(0x9aff400)

Other ideas?

Thanks!— Sebastian Flothow lists@flothow.de wrote:

Am Dienstag, den 5. August 2003, um 00:24, schrieb
Joseph Spenner:

$Ticket

{$Ticket}

Sebastian


Sebastian Flothow
sebastian@flothow.de

— Joseph Spenner joseph85750@yahoo.com wrote:

I’m trying to create my own templates using RT
2.0.15.
From what I’ve read:

http://fsck.com/rtfm/article.html?id=5#228

I should be able to create a simple template (for
example) for new tickets as follows:

===beginning of my new ticket===
A new ticket was created. Here is the body:

$Ticket

===end of my new ticket===

But when the template is used, the “$Ticket” is not
expanded. Instead, I get $Ticket in the body.
Is there something I’m missing?

Thanks!

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

12

hi joseph,

{$Transaction->Content()}

at least in RT2, probably the same in the RT3 branch.

cu
andreas

13

Andreas:
That did the trick. Thanks for the help! Greatly
appreciated!— Andreas Wahlfeldt awahlfeldt@subshell.com wrote:

hi joseph,

{$Transaction->Content()}

at least in RT2, probably the same in the RT3
branch.

cu
andreas

Message: 9
Date: Wed, 6 Aug 2003 07:43:11 -0700 (PDT)
From: Joseph Spenner joseph85750@yahoo.com
Subject: Re: [rt-users] Custom templates question
To: rt-users@lists.fsck.com

Sebastian:
Your idea yielded an interesting result. Now I
see
the following in the body of my email:

RT::Ticket=HASH(0x9aff400)

Other ideas?

Thanks!

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at
http://fsck.com/rtfm

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

14

How would I perform custom actions, such as resolving, changing ownership,
etc of a ticket, based on the content of a ticket and the user?

Basically I want to be able to change the status of a ticket or the owner

I would like to just put some obcure code into the base, and have it check
me against the user database, to make sure I was allowed to do it
(status=resolved) (owner=newowner)

How would I go about doing this?

Miles Scruggs

15

Not sure how others would handle it, but I’d use
(again) my perl filter.
Basically my filter replaces the rt aliases in
/etc/aliases with something like:

general: “|/home/gman/scripts/filter.pl”

Then within filter.pl I search for certain content.
If I think it’s spam, I just drop it. If, in your
example, I see certain keywords in the body, I could
just pass it to a queue with a particular action:

open (PIPE, “|/opt/rt2/bin/rt-mailgate --queue general
–action resolve”);
print PIPE @message;
close PIPE;

If you’d like a copy of the filter, let me know and
I’ll send you a copy.— Miles Scruggs midgard@garnetws.com wrote:

How would I perform custom actions, such as
resolving, changing ownership,
etc of a ticket, based on the content of a ticket
and the user?

Basically I want to be able to change the status of
a ticket or the owner
from my mail program, without having to login to the
web interface.

I would like to just put some obcure code into the
base, and have it check
me against the user database, to make sure I was
allowed to do it
(status=resolved) (owner=newowner)

How would I go about doing this?

Miles Scruggs

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at
http://fsck.com/rtfm

“I’m the Commander, see … I do not need to explain why I say things. That’s the interesting thing about being the President … [I] don’t feel like I owe anybody an explanation.” – President George W. Bush to the National Security Council

Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

16

haven’t tried this yet, but check this out:

http://lists.fsck.com/pipermail/rt-users/2003-January/011843.html

rickOn Mon, 08 Dec 2003, Joseph Spenner wrote:

Not sure how others would handle it, but I’d use
(again) my perl filter.
Basically my filter replaces the rt aliases in
/etc/aliases with something like:

general: “|/home/gman/scripts/filter.pl”

Then within filter.pl I search for certain content.
If I think it’s spam, I just drop it. If, in your
example, I see certain keywords in the body, I could
just pass it to a queue with a particular action:

open (PIPE, “|/opt/rt2/bin/rt-mailgate --queue general
–action resolve”);
print PIPE @message;
close PIPE;

If you’d like a copy of the filter, let me know and
I’ll send you a copy.

— Miles Scruggs midgard@garnetws.com wrote:

How would I perform custom actions, such as
resolving, changing ownership,
etc of a ticket, based on the content of a ticket
and the user?

Basically I want to be able to change the status of
a ticket or the owner
from my mail program, without having to login to the
web interface.

I would like to just put some obcure code into the
base, and have it check
me against the user database, to make sure I was
allowed to do it
(status=resolved) (owner=newowner)

How would I go about doing this?

Miles Scruggs

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at
http://fsck.com/rtfm

=====
“I’m the Commander, see … I do not need to explain why I say things. That’s the interesting thing about being the President … [I] don’t feel like I owe anybody an explanation.” – President George W. Bush to the National Security Council

Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Rick Rezinas 503-889-7091
Unix Systems Administrator
Qsent, Inc.

When Gladstone was British Prime Minister he visited Michael Faraday’s
laboratory and asked if some esoteric substance called `Electricity’
would ever have practical significance.
“One day, sir, you will tax it,” was the answer.
– Science, 1994

17

sorry…realized after sending that that’s an rt2 enhancement.On Mon, 08 Dec 2003, Rick Rezinas wrote:

haven’t tried this yet, but check this out:

http://lists.fsck.com/pipermail/rt-users/2003-January/011843.html

rick

On Mon, 08 Dec 2003, Joseph Spenner wrote:

Not sure how others would handle it, but I’d use
(again) my perl filter.
Basically my filter replaces the rt aliases in
/etc/aliases with something like:

general: “|/home/gman/scripts/filter.pl”

Then within filter.pl I search for certain content.
If I think it’s spam, I just drop it. If, in your
example, I see certain keywords in the body, I could
just pass it to a queue with a particular action:

open (PIPE, “|/opt/rt2/bin/rt-mailgate --queue general
–action resolve”);
print PIPE @message;
close PIPE;

If you’d like a copy of the filter, let me know and
I’ll send you a copy.

— Miles Scruggs midgard@garnetws.com wrote:

How would I perform custom actions, such as
resolving, changing ownership,
etc of a ticket, based on the content of a ticket
and the user?

Basically I want to be able to change the status of
a ticket or the owner
from my mail program, without having to login to the
web interface.

I would like to just put some obcure code into the
base, and have it check
me against the user database, to make sure I was
allowed to do it
(status=resolved) (owner=newowner)

How would I go about doing this?

Miles Scruggs

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at
http://fsck.com/rtfm

=====
“I’m the Commander, see … I do not need to explain why I say things. That’s the interesting thing about being the President … [I] don’t feel like I owe anybody an explanation.” – President George W. Bush to the National Security Council

Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

When Gladstone was British Prime Minister he visited Michael Faraday’s
laboratory and asked if some esoteric substance called `Electricity’
would ever have practical significance.
“One day, sir, you will tax it,” was the answer.
– Science, 1994

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

When Gladstone was British Prime Minister he visited Michael Faraday’s
laboratory and asked if some esoteric substance called `Electricity’
would ever have practical significance.
“One day, sir, you will tax it,” was the answer.
– Science, 1994