Opened 6 days ago

Last modified 39 hours ago

#33314 needs_review defect

RT spams TPA with bounces

Reported by: anarcat Owned by: anarcat
Priority: Very High Milestone:
Component: Internal Services/Services Admin Team Version:
Severity: Minor Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

Since I fixed the root aliases everywhere, we seem to be getting spam mail bounced back to the tpa alias, from the root@rude email account.

It seems that this mail was previously being delivered locally to the nobody mailbox, which is now a whopping 630MB:

root@rude:/var/mail# ls -al /var/mail/*
-rw-rw---- 1 amavis        mail      5688 May  4  2016 /var/mail/amavis
-rw-rw---- 1 nobody        mail 660486247 Feb 12 21:46 /var/mail/nobody
-rw-rw---- 1 rtmailarchive mail     28174 Sep  1  2016 /var/mail/rtmailarchive

Since #32283 was deployed, that has stopped growing but instead we're all getting spammed with that junk, which isn't much of an improvement. But at least those problems will have to get fixed.

The first problem is messages in the form:

From: rt@…
Subject: Failed attempt to create a ticket by email, from <email>

<email> attempted to create a ticket via email in the queue help-es; you

might need to grant 'Everyone' the CreateTicket right.

We got 23 such emails since the alias was fixed, and this will probably just keep going forever.

I reported this as a bug in the upstream forum, in:

https://forum.bestpractical.com/t/rt-4-4-too-noisy-with-denied-users/34749

I also filed this as a bug in Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951272

and filed a patch in:

https://github.com/bestpractical/rt/pull/291

That latter patch is directly applied on rude right now, with:

wget -O ~anarcat/PR-291-no-err-on-deny.patch https://patch-diff.githubusercontent.com/raw/bestpractical/rt/pull/291.patch
cd /usr/share/request-tracker4
patch -p1 < ~anarcat/PR-291-no-err-on-deny.patch
service apache2 restart

just skip the t/ chunk.

I'll wait and see what feedback I get from upstream and Debian before deciding what to do with this in the long term. Options include:

  1. blocking users at the MTA level - requires TPA operation which we'd like to avoid, we want to train RT admins to be autonomous
  2. patch the bug in Debian and follow that process to get rude updated in the long term
  3. hotfix the Debian package in our archive

we also need to decide what to do about that 600M mail archive... i'll probably just delete it once i'm happy with our solution.

Child Tickets

Change History (4)

comment:1 Changed 6 days ago by anarcat

Description: modified (diff)

comment:2 Changed 5 days ago by anarcat

Description: modified (diff)
Status: assignedneeds_review

patch didn't work: RT runs in mod_perl so we need to restart apache too. amended the instructions and tested if bounces make it back to TPA with this command on rude:

swaks -t rt@rt.torproject.org -s localhost -f newsletter

so far nothing: TPA doesn't get the bounce! so in the short term that issue seems to have been fixed.

in the mid term, we also need to clear out /var/mail. we might also want to consider purging ~rtarchive/Maildir/ eventually?

comment:3 Changed 5 days ago by anarcat

Keywords: tpa-roadmap-february removed

comment:4 Changed 39 hours ago by anarcat

patch was refused upstream, suggesting we replace the "Default" plugin with our own instead, which I don't find very satisfying as a response.

also, got another bounce during the weekend, and removed another MailError. Feels like i'm playing whack-a-mole, but i'll let this one sit a little longer and see if we have fixed it before deciding where to go.

new commit:

https://github.com/anarcat/rt/commit/1504c1a5fde546e32a7baa006d5d4799cfda3f3b

...on the no-err-on-deny branch in:

https://github.com/anarcat/rt/commits/no-err-on-deny

Note: See TracTickets for help on using tickets.