[tor-bugs] #33314 [Internal Services/Services Admin Team]: RT spams TPA with bounces
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 13 19:47:51 UTC 2020
#33314: RT spams TPA with bounces
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: anarcat
Type: defect | Status:
| needs_review
Priority: Very High | Milestone:
Component: Internal Services/Services Admin | Version:
Team |
Severity: Minor | Resolution:
Keywords: tpa-roadmap-february | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* status: assigned => needs_review
Old description:
> Since I fixed the root aliases everywhere, we seem to be getting spam
> mail bounced back to the tpa alias, from the root at rude email account.
>
> It seems that this mail was previously being delivered locally to the
> `nobody` mailbox, which is now a whopping 630MB:
>
> {{{
> root at rude:/var/mail# ls -al /var/mail/*
> -rw-rw---- 1 amavis mail 5688 May 4 2016 /var/mail/amavis
> -rw-rw---- 1 nobody mail 660486247 Feb 12 21:46 /var/mail/nobody
> -rw-rw---- 1 rtmailarchive mail 28174 Sep 1 2016
> /var/mail/rtmailarchive
> }}}
>
> Since #32283 was deployed, that has stopped growing but instead we're all
> getting spammed with that junk, which isn't much of an improvement. But
> at least those problems will have to get fixed.
>
> The first problem is messages in the form:
>
> > From: rt at rt.torproject.org
> > Subject: Failed attempt to create a ticket by email, from <email>
> >
> > <email> attempted to create a ticket via email in the queue help-es;
> you
> might need to grant 'Everyone' the CreateTicket right.
>
> We got 23 such emails since the alias was fixed, and this will probably
> just keep going forever.
>
> I reported this as a bug in the upstream forum, in:
>
> https://forum.bestpractical.com/t/rt-4-4-too-noisy-with-denied-
> users/34749
>
> I also filed this as a bug in Debian:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951272
>
> and filed a patch in:
>
> https://github.com/bestpractical/rt/pull/291
>
> That latter patch is directly applied on rude right now, with:
>
> {{{
> wget -O ~anarcat/PR-291-no-err-on-deny.patch https://patch-
> diff.githubusercontent.com/raw/bestpractical/rt/pull/291.patch
> cd /usr/share/request-tracker4
> patch -p1 < ~anarcat/PR-291-no-err-on-deny.patch
> }}}
>
> just skip the `t/` chunk.
>
> I'll wait and see what feedback I get from upstream and Debian before
> deciding what to do with this in the long term. Options include:
>
> 1. blocking users at the MTA level - requires TPA operation which we'd
> like to avoid, we want to train RT admins to be autonomous
> 2. patch the bug in Debian and follow that process to get rude updated
> in the long term
> 3. hotfix the Debian package in our archive
>
> we also need to decide what to do about that 600M mail archive... i'll
> probably just delete it once i'm happy with our solution.
New description:
Since I fixed the root aliases everywhere, we seem to be getting spam mail
bounced back to the tpa alias, from the root at rude email account.
It seems that this mail was previously being delivered locally to the
`nobody` mailbox, which is now a whopping 630MB:
{{{
root at rude:/var/mail# ls -al /var/mail/*
-rw-rw---- 1 amavis mail 5688 May 4 2016 /var/mail/amavis
-rw-rw---- 1 nobody mail 660486247 Feb 12 21:46 /var/mail/nobody
-rw-rw---- 1 rtmailarchive mail 28174 Sep 1 2016
/var/mail/rtmailarchive
}}}
Since #32283 was deployed, that has stopped growing but instead we're all
getting spammed with that junk, which isn't much of an improvement. But at
least those problems will have to get fixed.
The first problem is messages in the form:
> From: rt at rt.torproject.org
> Subject: Failed attempt to create a ticket by email, from <email>
>
> <email> attempted to create a ticket via email in the queue help-es; you
might need to grant 'Everyone' the CreateTicket right.
We got 23 such emails since the alias was fixed, and this will probably
just keep going forever.
I reported this as a bug in the upstream forum, in:
https://forum.bestpractical.com/t/rt-4-4-too-noisy-with-denied-users/34749
I also filed this as a bug in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951272
and filed a patch in:
https://github.com/bestpractical/rt/pull/291
That latter patch is directly applied on rude right now, with:
{{{
wget -O ~anarcat/PR-291-no-err-on-deny.patch https://patch-
diff.githubusercontent.com/raw/bestpractical/rt/pull/291.patch
cd /usr/share/request-tracker4
patch -p1 < ~anarcat/PR-291-no-err-on-deny.patch
service apache2 restart
}}}
just skip the `t/` chunk.
I'll wait and see what feedback I get from upstream and Debian before
deciding what to do with this in the long term. Options include:
1. blocking users at the MTA level - requires TPA operation which we'd
like to avoid, we want to train RT admins to be autonomous
2. patch the bug in Debian and follow that process to get rude updated in
the long term
3. hotfix the Debian package in our archive
we also need to decide what to do about that 600M mail archive... i'll
probably just delete it once i'm happy with our solution.
--
Comment:
patch didn't work: RT runs in mod_perl so we need to restart apache too.
amended the instructions and tested if bounces make it back to TPA with
this command on rude:
{{{
swaks -t rt at rt.torproject.org -s localhost -f newsletter
}}}
so far nothing: TPA doesn't get the bounce! so in the short term that
issue seems to have been fixed.
in the mid term, we also need to clear out /var/mail. we might also want
to consider purging ~rtarchive/Maildir/ eventually?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33314#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list