[rt-users] stop strangers from emailing other people's tickets

Kenneth Marshall ktm at rice.edu
Mon May 4 15:58:08 EDT 2009 

On Mon, May 04, 2009 at 12:38:20PM -0700, allen+rtlist at crystalfontz.com wrote:
> Running into a problem where a "bad person" (unprivileged and unknown
> by RT) can send an email to the RT system with someone else's ticket
> ID in the subject. RT will recognize the (guessed) ticket ID, and
> permanently append the message (which may contain spam or nastiness)
> to somebody's ticket, even though the sender is not a valid party
> listed on the ticket.
> 
> So some troublemaker can send 1 email with a random ticket ID, or
> 100,000 emails with all possible ticket ids and attack users' tickets.
> 
> We want to allow people to create tickets by email and we do want RT
> users to be automatically created if they don't already exist. Is
> there a way, though, to deny permission for unprivileged users to
> "reply" to a ticket unless they are the Requestor or Cc?
> 
> I have set Group Rights this way:
> 
>    Everyone: CreateTicket, ModifySelf
>    Unprivileged: none
>    Privileged: [many, including ReplyToTicket]
>    Requestor: ReplyToTicket, SeeQueue, ShowTicket
> 
> but the above permissions do not seem to make any difference in the
> ability of strangers being able to pollute random tickets with
> messages.
> 
> It also seems that if an attacker forged his From address to appear to
> come from one of our privileged email addresses (like
> support at yourdomain), a permissions-only approach would not really make
> much of a barrier.
> 
> Should some combination of permissions be able to work, or does
> preventing this abuse require a Scrip?
> 
> Do any of you with RT installations ever run into situations where
> someone mail bombs or attacks your users' tickets by email in this
> way?
> 
> What advice can you give?
> 
> Allen

Allen,

We run all of our RT E-mail into an anti-spam system with a
quarantine function, before we pass it to RT. The means that
attacks such as the above end up populating the quarantine,
but do not actually pollute the tickets. Emptying the quarantine
is a click away. It works quite well since it is not based on
the guessed header, but the content of the message.

Alternatively, if you could set up a "secured" channel for your
valid E-mail addresses to communicate with RT from your priviledged
servers, that might work as well.

Good luck,
Ken
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
>

More information about the rt-users mailing list