[rt-users] Re: Dealing with spam in RT queues

Damian Gerow damian at sentex.net
Fri Oct 24 18:19:11 EDT 2003


Thus spake bill at daze.net (bill at daze.net) [24/10/03 17:25]:
> > I can't filter our abuse queue -- we get far too many automated complaints
> > that don't have a valid return address (or at lest, nobody ever responds to
> > messages sent to the return address).  We have our own custom spam filtering
> > system on every other queue, but it breaks the Abuse queue.
> 
> I'm curious.  What kind of automated complaints do you receive?  How to
> you respond to the person complaining?

Spamcop and myNetWatchman are by far the two most popular.  Then there's
things like EarlyBird and its ilk, and finally there's a number of people
who have home-brewed systems.  The requestor address is something like
'noc+38267.23827.392@', or 'bob+372237jasf7jaf@' or 'sentex-ip.add.re.ss@'.

What I'm really afraid of is the people who are already irate when they send
us a complaint (albeit generally invalid -- things like 'Why is your router
sending me ICMP_PORT_UNREACH messages?  Make it stop or I'm calling the
FBI!').  I don't want to make them jump through any more hoops than they
absolutely have to, in order to make a complaint.

> I'm guessing the automated complaints are perhaps like those received from
> SpamCop and other services.  We have whitelisted known services like
> SpamCop so they are "pre-approved/pre-confirmed".  If we notice a new
> service in our weekly unconfirmed queue report, we whitelist them and
> release the complaint from the queue.  This happens very rarely.

For Spamcop and myNetWatchman, yes, it is easy to whitelist.  For the rest
of them, it's not so easy.  And with the volume of spam we get into abuse@,
I really don't want to have to wade through all the spam anyway.  The point
of looking for a 'Report as Spam'-type thingy in RT is to /reduce/ the work
needed to resolve tickets, not increase.

Yes, yes, I know -- I should stop whining and write it myself.  When I find
the time, that's what I'll do.  I'm just hoping to avoid a wheel
reinventation.

> Our stats show that 95% of the mail to our abuse@ address is spam. 4% is
> generated by SpamCop's parser thinking our mail server originated mail
> received by our customers and 1% is legitimate spam complaints from
> individual users or reporting services.  Luckily our customers hardly ever
> spam.

We're looking at something similar -- on a given day, I've seen anywhere
from 60% to 90% of mail (by volume) sent to our queued addresses is spam,
excluding abuse at .  I would say less than 10% of mail sent to abuse@ is
actually valid (i.e. not spam), and the number of actual, valid abuse
complaints is about 70% of that.

And they say that spamming doesn't cost anyone money.



More information about the rt-users mailing list