[rt-users] stop strangers from emailing other people's tickets

allen+rtlist at crystalfontz.com allen+rtlist at crystalfontz.com
Mon May 4 15:38:20 EDT 2009


Running into a problem where a "bad person" (unprivileged and unknown
by RT) can send an email to the RT system with someone else's ticket
ID in the subject. RT will recognize the (guessed) ticket ID, and
permanently append the message (which may contain spam or nastiness)
to somebody's ticket, even though the sender is not a valid party
listed on the ticket.

So some troublemaker can send 1 email with a random ticket ID, or
100,000 emails with all possible ticket ids and attack users' tickets.

We want to allow people to create tickets by email and we do want RT
users to be automatically created if they don't already exist. Is
there a way, though, to deny permission for unprivileged users to
"reply" to a ticket unless they are the Requestor or Cc?

I have set Group Rights this way:

   Everyone: CreateTicket, ModifySelf
   Unprivileged: none
   Privileged: [many, including ReplyToTicket]
   Requestor: ReplyToTicket, SeeQueue, ShowTicket

but the above permissions do not seem to make any difference in the
ability of strangers being able to pollute random tickets with
messages.

It also seems that if an attacker forged his From address to appear to
come from one of our privileged email addresses (like
support at yourdomain), a permissions-only approach would not really make
much of a barrier.

Should some combination of permissions be able to work, or does
preventing this abuse require a Scrip?

Do any of you with RT installations ever run into situations where
someone mail bombs or attacks your users' tickets by email in this
way?

What advice can you give?

Allen



More information about the rt-users mailing list