OTRS is well known for its powerful E-Mail filters. Also OTRS is used a lot in abuse departments, NOCs and CERTs.
Some years ago a messages format, called Abuse Response Format – ARF was designed to help to automate data exchange on spams, fraud or other abuse of E-Mails. AOL is using this format for their Postmaster Feedback Loop. Reviewing the setup of one of an OTRS used for security and abuse handling I had the idea to create a postmaster filter for writing some of the data into Ticket Free Fields.
Doing some research the CPAN class Email::ARF::Report attracted my attention. So I decided to build a PostmasterFilter Module using it.
First I created a testscript for checking out all of the possibilities:
#!/usr/bin/perl -w
use Email::ARF::Report;
use File::Slurp qw (slurp);
my $message = slurp ('sample2.txt');
my $report = Email::ARF::Report->new($message);
print "Report Fields\n";
print "=============\n";
foreach my $field (qw(Feedback-Type Source-IP)) {
print ucfirst $field . ': '
. $report->field($field) . "\n";
}
print "\n\n";
print "Original Headers\n";
print "================\n";
# Get some Original Headers
foreach my $header (qw(to date subject message-id from X-AOL-IP)) {
print ucfirst $header . ': '
. $report->original_email->header($header) . "\n";
}
So I was able to do some test on some AOL Feedback Reports I had in my OTRS Ticket Database.
The Postmaster Filter Module will use 6 Ticket Free Field for storing:
- Report Feedback Type
- Report Source IP
- Original To Address
- Original From Address
- Original Subject
- Original Message ID
Also the subject of the mail will be rewritten to include the Feedback Type and the Original Sender.
Some values can be set via Sysconfig, like the From Address Regex already known from the SystemMonitoring Module:
The Ticket of the ARF Formatted Message will look like this:
The Proof of Concept OPM can be downloaded here