Viewing complete message/rfc822 attachments

When we receive a spam incident report eg. from Hotmail, it typically arrives as a mime message with a message/rfc822 type attachment containing a spample. We typically would like to give our clients the spample as a part of the text body. As we’re a NREN and our clients are educational institutions like universities, the most common spam case is stolen student accounts.

Back when spammers used to just send text email messages, one could view the complete original email content on RTIR including the headers by using the “Download / with headers” button.

These days, when most self-respecting spammers do multipart/alternative messages the RTIR UI changes to have buttons for each of parts, but nothing for the base message itself. The “Show full headers” portion is not very useful for this, as it’s not copy-pasteable.

I’ve talked with other RTIR users, and they’ve suggested the same solution I’ve come up with: using an external email program with the email message for copy-pasting purposes. Seems a bit silly, since RTIR already has the complete spample in the incident report at this point, why don’t I have anything in the UI to display it?

At this time we are using RT 4.1.12, has this functionality been improved in later versions?

Well and using the “forward” of ticket or transaction won’t do the job? It forwards all the original mails in emls.

I may be a bit unfamiliar in the ways of RTIR, but when you start an investigation, how do you use “forward” to achieve this? The only relevant “forward” I know of is in the incident report, and will become a part of that ticket?

Incident tickets are AFAIK the normal RT tickets with some workflow above. So it have the same possibility of forwarding the whole ticket or transaction. See my screenshot:

.
If you don’t see those forward links you probably don’t have the right to forward the ticket.

Incident tickets are AFAIK the normal RT tickets with some workflow above. So it have the same possibility of forwarding the whole ticket or transaction.

Yes, this is my understanding also, and rights are here not the issue.

My question above was: when I have an incident report (spample) from which I’ve opened an incident, and then start creating an investigation for the incident, how do I get the original spample from the incident report all the way to the investigation without having to resort to external tools (like copy-pasting it via an email client)?

If I forward the spample from the original incident report, the correspondence with the customer becomes a part of the incident report, not the investigation. Can one open an investigation by copying an incident report as the basis?