Working with Abuse Response Format E-Mails

Jens Bothe15. Dec 2011 | ConsultingDevelopmentUse cases

Disclaimer:

The practical examples presented in our technical blog (blog.otrs.com) and now in the expert category in our FAQ blog section serve as a source of ideas and documentation to show what is theoretically possible with OTRS in concrete scenarios or sometimes even for more exotic configurations. All configurations presented here were developed under laboratory conditions as a proof of concept. 

We can only guarantee testing and implementation of these concepts to be error-free and productive if implemented in a workshop with one of our OTRS consultants. Without this, the responsibility lies with the customer himself. Please note that configurations from older OTRS versions may not work in the newer ones.

OTRS is well known for its powerful E-Mail filters. Also OTRS is used a lot in abuse departments, NOCs and CERTs.

Some years ago a messages format, called Abuse Response Format – ARF was designed to help to automate data exchange on spams, fraud or other abuse of E-Mails. AOL is using this format for their Postmaster Feedback Loop. Reviewing the setup of one of an OTRS used for security and abuse handling I had the idea to create a postmaster filter for writing some of the data into Ticket Free Fields.

Doing some research the CPAN class Email::ARF::Report attracted my attention. So I decided to build a PostmasterFilter Module using it.

First I created a testscript for checking out all of the possibilities:

#!/usr/bin/perl -w
use Email::ARF::Report;
use File::Slurp qw (slurp);
my $message = slurp ('sample2.txt');
my $report = Email::ARF::Report->new($message);
print "Report Fields\n";
print "=============\n";
foreach my $field (qw(Feedback-Type Source-IP)) {
 print ucfirst $field . ': '
 . $report->field($field) . "\n";
}
print "\n\n";
print "Original Headers\n";
print "================\n";
# Get some Original Headers
foreach my $header (qw(to date subject message-id from X-AOL-IP)) {
 print ucfirst $header . ': '
 . $report->original_email->header($header) . "\n";
}

So I was able to do some test on some AOL Feedback Reports I had in my OTRS Ticket Database.

The Postmaster Filter Module will use 6 Ticket Free Field for storing:

  • Report Feedback Type
  • Report Source IP
  • Original To Address
  • Original From Address
  • Original Subject
  • Original Message ID

Also the subject of the mail will be rewritten to include the Feedback Type and the Original Sender.

Some values can be set via Sysconfig, like the From Address Regex already known from the SystemMonitoring Module:

The Ticket of the ARF Formatted Message will look like this:

The Proof of Concept OPM can be downloaded here

Your email address will not be published.