• Support
• Triage

---

• česky | english

---

Purpose

The Mission of Triage Team is:

• to transfer support issues to places where support can be given

some amplification:

• by definition, support is not given in/at/from support@ within the Triage Team

• the task is one of selection by applying human judgement

• the Triage team selects then moves the support issue to where it can get best attention

This page documents the various incoming acts and resultant outgoing acts. It is intended to be the triage team's primary resource, the starting point.

The general concept of triage is defined on wikipedia. Triage Team is part of the overall Support Team.

The Picture

The task is to look at each email coming into support@ and to pick one of several places to send it. These places are called channels or buckets. Together, these are shown as Queues in the system. The below is a summary (not exact):

               /----> SE   ... support engineers ("Support Engineers" queue)
              /
             /
             |   /--> help ... help team (mailing list cacert-support)
             |  /
             | /
  triage team ------> disputes ...  case managers  -->  arbitrators
             |\
             | \
             |  \---> meta ... stuff related to support, but not a support case
             \
              \
               \----> buckets ... visible/searchable by SEs

The Channels

Triage is about selecting the right place. There are several channels available to you.

• High-level Channel	short	OTRS queue / location	notes
  Support Engineers	SE	Support Engineers
  Help Team	help	cacert-support	forward mail to Open Help Forum and then close it
  Disputes	disputes	Disputes	Guidelines
  meta-discussion	meta	<cacert-se AT lists DOT cacert DOT org>	mailing list where you can ask serious questions, remove private information before posting
  meta-discussion	meta	ircs://irc.cacert.org:7000/se	IRC chat room open for casual questions and help from SEs, remove private information before posting

Both on the cacert-se@ mailing list and IRC private information should be removed because there are people who don't belong to the Support Team reading these messages. If you want to talk about a certain case, you can post the ticket number instead of forwarding the content, you can also add internal notes to a ticket. If you absolutely need to share private information you can write an email and send it directly to each Support Engineer (encrypted).

A channel is a place where there are CAcert people ready and waiting to receive your forwards. Channels are generally served by the issue tracking system. In these pages we talk about channels at the conceptual level; it is a separate subject how they are served in reality (you have to figure that out).

Channels are also to be defined at a high-level in the SecurityManual.

The Buckets

There are also several places for low level and bulk stuff, seen above as buckets. These should be visible to SEs for analysis, but there isn't necessarily anyone looking at them. Mails are stored in buckets until they are needed.

• Low-level Buckets	short	OTRS	method	notes
  delivery reports	bounce	Returns	Filter	reports about undeliverable mails, vacation notices, other auto replies. Are automatically closed
  junkbox	junk	Junk	Manual.	these are saved for searching for lost emails
  password checks	passwd	Support Engineers::Requested Passphrase	Filtered	sent out from the system if someone fails on his lost password questions. Are automatically closed
  email ping abuse reports	abuse	Verification Abuse	Filter	sent by the system if someone click on the verification link in an email and then chooses to not verify that address. Are automatically closed
  Paypal notifications	paypal	Paypal	Manual.	these are sent automatically to Support for verification of password request fees
  Deleted Accounts	Deleted	Support Engineers::Deleted Accounts	Filter	mails sent to email addresses which are created for each deleted account
  "The Bat"	Bat	The Bat	Filter	mails sent in error by old mail client "The Bat", sender will get an automatic error notice, automatically closed

Filters

Buckets are sometimes automated and sometimes not. The filters set up in OTRS are very strict so there should be almost no false positives, but that also means that there are mails where the filter doesn't match but which belong into one of the filtered queues.

OTRS

In the Support Team we use the OTRS ticketing system to keep track of mails sent to support@cacert.org. The buckets and channels described above are mapped to queues in OTRS. A detailed description of the use of OTRS within support is found in the support handbook chapter ORTS.

Queues & Tickets

Initially all mail that couldn't be added to an existing ticket or automatically sorted by a filter pops up in the "Triage" queue waiting for you to move it into the desired queue. You do that by selecting the queue you want to move the ticket into from the drop-down box "Change queue" in the ticket and clicking the "Move" button, it's as easy as that. To see an overview of the open tickets in another queue you click the name of the queue on top of the page, the number in brackets is the number of open tickets in that queue. In many cases the email text is longer than shown in the overview. To get a more detailed view you click the "Zoom" link in the ticket, which shows the full text and a some more options than in the overview.

Closing & Searching

In some queues (e.g. Returns and Junk) the ticket should be closed if you have moved it into that queue. You do that by clicking the "close" link in the ticket, giving a short (for the standard cases it can be really tiny) reason why you closed the ticket, and zhen clicking "Submit" in the pop-up window. A closed ticket doesn't appear in the overview of the queue (you can't delete tickets in OTRS but closing them hides them, to avoid the out of view out of mind phenomenon only close tickets which don't need further processing – be careful). If you want to see a closed ticket (e.g. because you unintentionally closed it) you can use the search function on the very top. There you select the queue you want to search in the "Queue" list, leave everything else unchanged (if you want to specify additional criteria you can do so of course) and hit the "Search" button on the bottom.

Forwarding

Some channels (e.g. cacert-support) require that you manually forward the email to the channel (e.g. a mailing list) before closing it. To do that zoom into that ticket and click "Forward" (below "Article" on the right side), fill in the destination in the "To" line, maybe edit the text (e.g. to remove private information or tell the receiver that the one who initially sent the email is not subscribed to the mailing list so he has to send replies directly) and click the "Send mail!" button.

Bulk Action

You will notice that sometimes there are many tickets which need the same action performed on them. To save you some work there's a powerful feature called "Bulk Action". To use it mark the check boxes of all tickets you want to process simultaneously, then click "Bulk Action at the very top. In the next step give a short description of the reason for your action, select the state the tickets should get (e.g. "closed successful" if you want to close them) and the queue you want to move them into (if you don't want to move them, just leave the drop box at "-"), finally click "Submit". Be careful with this feature "With great power comes great responsibility."

Play with it

If you want to get a feeling for how OTRS works you can send an email to support@cacert.org with the subject and text indicating that this is a test message so the other Triagers and SEs leave it to you. Then experiment with the resulting tickets. If you have further questions just ask on one of the meta channels (i.e. the cacert-se mailing list or the IRC #se channel).

The classes of Incoming Mail

• automated responses:
  • mail rejections (delivery failure notices) caused by
    • ping checks of email and domain ownership
    • cert expiry reminders
    • ad hoc scripts

      • note that these mail rejections may be evidence that domains or emails are dead => revocation

      • or they may be short term problems.

      • currently no designated SE action

    • move to bounce bucket and close

    • If the bounce belongs to a support case (indicated e.g. by a support ticket number in the subject line of the bounced message) forward to the SE channel instead

  • automated benign responses caused by
    • ticketing systems e.g., that the email has been received and turned into a ticket
    • vacation notices

    • move to bounce bucket and close

  • cacert internal operations
    • redirections or cc's
    • root, paypal

    • forward to SE channel

  • system reports
    • password change attempt
    • sent by the system whenever someone fails on his lost password questions

    • move to the passwd bucket

  • where to send the rest?

    • forward to SE channel

• spam

  • read it

  • once declared as spam, move to junk bucket and close

• Abuse Reports
  • These are an option generated by people who receive verification mails
  • The Abuse reports include too little info, we need more info.

  • move to abuse bucket.

  • Abuses that occur often should be forwarded to the SE channel in the future, but we need some info => Patch.

• arbitrator's requests
  • for action
  • for assistance

  • should include a tracking token, which is the arbitration number like a20091225.1

  • forward to SE channel

• discussion
  • meta-discussion (about support but not a support request)
  • these shouldn't happen on the support@ entry point, but are destined to happen for a while

  • forward to meta channel

• cryptographic unreadable mail
  • encrypted (S/MIME, PGP) where we don't have the private key (e.g. encrypted with the root cert, yes that happens)

  • forward to SE channel

• non-understandable
  • wrong language
  • unclear use of words
  • garbled in transmission
  • automatic gibberish

  • forward to SE channel

• request for Organisation Assurance, or information about

  • forward to SE channel

• request for feature enabling or service
  • code-signing
  • IDN International Domain Name?
  • location database (find an assurer)

  • forward to SE channel

• disputes requests

  • some cases can be handled by the Support Team (following precedence cases)

    • request from Assurers to revoke an assurance within 24 hours
    • request from Assuree to correct date of birth or name
    • request for account deletion
    • minor name changes

    => forward to SE channel

  • information changes (change to names, points)
  • requests for information (privacy / protection requests)

  • forward to Disputes channel

  • refer to Guidelines

• help
  • help requested in a process, from a human
  • read the email carefully and decide

  • follow the guidelines at Open Help Forum

  • move into the cacert-support queue then

  • sanitise to leak as little private information as possible (email and name are not considered private) then

  • forward to the help channel and close the ticket

  • more info on forwarding below

• Paypal payments notifications

  • password request payments received

    • any payment
      • of $15.00 USD and/or

      • marked: "Description:CAcert Password Reset Service" which you have to search for in the body of the mail and confirm by eyesight

      is considered to be a password request payment

    • forward to SE channel

  • paper CATS certificate purchase -> ignore

    • Discussions with Education Forum indicate they are not being checked, therefore no forwarding.

    • marked as: "Description:Assurer Paper Certificate Donation" and are for EUR 5.00

    • move into the paypal bucket and close

  • the rest are probably Donations to CAcert -> ignore

    • Donations are marked: "Description:Donation to CAcert" which is deep in the body of the mail.

    • May also be marked as Donation in the Subject line, but this is not confirmed.

    • move into the paypal bucket and close

  • anything else: forward to SE channel

  • payments come in by two sources: by paypal, by au account (but no notifications seen from AU account)
• bugs, patches, code, security breaches
  • bugs seen in the code
  • patches offered by outsiders
  • claims of security breaches

  • forward to SE channel

• "The Bat!"
  • Triage signal: If the email is Russian and has a header indicating an email client called "The Bat!".
  • An automated filter classifies those from the header rejects them with an error message for the users.
  • The automated response:

    • in English and Russian (translation still needed, if you know someone who can translate it contact t/l)

    • suggesting they upgrade their client
    • suggesting they use the online form for their support requirements.
  • See more below.

  • these should never reach the OTRS, if they do anyway move into the Bat bucket (without closing) and tell the others on the team (via one of the meta channels)

• Certificate signing requests.

  • probably comes from user_name@mac.com

  • has this text in it or is completely empty:

    • User Name has sent you a certificate request. Click the enclosure to complete the request. A certificate signing request (CSR) is information generated by the computer to identify the user requesting a certificate from a Certificate Authority. The CSR contains the public key of the user and is used to generate the certificate. The certificate will automatically be sent to User Name.

  • an .csr file is attached to it
  • see more below

  • forward to SE channel

• request for TTP (Trusted Thirs Party), or information about

  • forward to SE channel

• request for writing access to the Wiki

  • forward to SE channel

Miscellaneous

Forwards

• The first line of any forward should include any additional info that might be useful:

  • your name!

  • any explanations you can think of
    • If forwarding to a mailing list you should mention the fact that the person asking for help is probably not subscribed to the list and therefore all replies should be explicitly sent to him too
• Strip away irrelevant stuff if it makes sense
  • although headers and attachments can sometimes be important, they often clutter it up, and sometimes hide the real message.
  • be careful!
  • remove all the Re: RE: Fwd: cruft (only leave a single Re: if it's a reply)
  • try to give it a suitable subject if not already present

Disputes

• Disputes is a big field. Refer to these documents:

  • Guidelines for Support and Arbitration

  • Further reading: CM and Security Policy and SecurityManual.

The Bat!

• A particular mail client called "The Bat!" sends every mails meant for any "support@" to "support@cacert.org". It's a bug.

• The bug: that the address book also includes root certs in its searches, and this includes our support email address.
• This mail is not spam, but is wrongly directed (confusion in address book picks up root certificate email address, not user's intended email).

CSR mails

• Philipp writes:

• This is an automatically generated email by Apple's keyChain tool. When the user tells it's email client that he wants a certificate from CAcert, the tool automatically generates a CSR, sends that to support@co, and hopes that CAcert will issue a certificate for the email address and send the certificate to the email address. (The idea isn't that bad, since that way, the email address would be verified automatically) But we haven't implement such an automatic certificate issuing mechanism at CAcert yet, so the only thing you can do is to reply to the user to please use our web-interface instead. Yes, in those cases it's natural that there is no account for that user yet. I would be surprised if you could find a related account. I would suggest that you start the discussion on the policy mailinglist, whether we should offer that additional service to Mac (and potentially to Linux and Outlook) users.

Returns from MAILER-DAEMON

If a ticket is send from MAILER-DAEMON you need to check wether it is just information that could not be transported or if it is a support related item.

To check this open the ticket and use the plain text view of the ticket.

Search for the second subject entry in red. There you will find the subject of the original mail.

Decide weather is just a information eg. your certificate is expiring, move it to Returns otherwise move it to SE

To Join Triage

Contact the T/L who will start you on the track.

1. You need to be an Assurer. This is because some of the things that you do will be relied upon by others; it's a responsibility.

   1. CARS or CAcert Assurer Reliable Statement.

   2. To be part of Triage, you acknowledge / agree to Security Policy, as a dominating document. You don't need to know it, but you do need to respect it.

2. Read and understand this page of notes.
3. Make sure your IRC access is good.
4. Get your certs into your MUA / mail client and browser.

   • a CAcert CommunityEmail address is useful because email is protected point to point.

   • or you must send all the work in Encrypted form (latter probably not working yet).

Appendixes

How to find out whether a message is spam

1. The sender of the message is forged (see "Plain Format"); the sender in the envelope (1st line) differs from the From: field lower, and the sender is not *@cacert.org.

2. The To: field, or the addressee of the message differs from *@cacert.org (frequently support@cacert.org); the addressee is completely missing or reads as "recipients", "undisclosed recipients", "undisclosed", or that field is missing.

3. The message apparently don't request a support, rather it offers goods (drugs, medicines, Viagra,...), services (holiday accommodation, web cooperation, loan), requests help with (fake) money transaction and offers reward (Nigeria's "Barrister" spam), heartbreakingly pleads for succor, or announces that you've won a (fake) lottery.
4. Thus, all messages with "lottery" in their subject, should be treat as spam.
5. In doubt you can look how that message was treated in the past, if the message was received repeatedly (click CustomerID on the right side).
6. Some spam messages repeat as exactly equal, other have the same Subject, but seems to be sended by different senders (usually spammers' victims), also the text of the message is the same.
7. Popular phishing tricks:

   • the attachment, says message, is suppose to be an invoice, delivery note of FedEx, Wells Fargo, etc., but it is a virus;

   • links to suspected websites (no FQDN, but an IP-address only),
   • elicitation of private data as the name, date of birth, address of residence, credit card number, e-mail - under a threat, as deleting or disabling your mailbox by closely unspecified (and non-existent) administrator.
   • threats of spreading spam, child porn, videos showing violence; but if you respond, you will become a victim: they may do just that under your address.
8. Offers of cooperation or reports of monetary donations must be considered very carefully. Recently (2020), spam has increased, which seems to offer help with redesigning the CAcert website, increasing its visibility in search engines, offering an increase in the number of clients, video clips, voice control and the like. Such spam message looks real, if you see it for the first time; it has no attachments or links - its purpose is not clear, until you find several such, exactly the same messages during few seconds to 24 hours. The goal of such spam is probably to get a working email address. I recommend sending SE isolated cases.
9. [Aleš Kastner]

Dirk Astrath's comments

on using queues, 2016

Blocked Accounts

Normally it's not allowed for SE to block accounts. Unfortunately (at least) on of the previous supporters blocked accounts for different reasons. Some of them are documented in OTRS within an open support case. These are moved to the "Locked Account" queues. We may need to hand over these cases to Arbitration later.

Let me explain the queues how I use them currently:

Arbitration

This queue is for open arbitration cases, where Support has to answer arbitration or add a ruling to precendents cases. Every question from arbitration/case manager should be moved here, no matter of the type of arbitration case.

Certificate Problems

Currently this queue is for everybody, who complains about "Firefox/Chrome/... complains about my new certificate". This queue can be answered as soon as a statement is written (I would add the MD5-resigning and NRE-stuff to this text). Maybe we can move queue to Triage later

Delete accounts

For mails from users about account removal.

Locked account

Temporary queue until we can move these support-cases to arbitration

New points calculation

May be interesting again as soon as we have the new points calculation in place. (currently empty)

Pending for action

Waiting for answer/ruling from arbitration/member, policy change/...

Requested passphrase

"I can't login" ... If in doubt, simply move to "Support Engineers" queue ... currently there are not so many mails ...

TTP

is for "Trusted Third Party" ... but I don't know if there is somebody active there ... ;-(

Organisation Assurance

... this was handled by Marcus before, I try get in contact to Benedikt to pre-handle this ...

Disputes

will move tickets out of support to Arbitration.

From my POV [point of view] "Organisation Assurance" and "Disputes" should not be targets for Triage. Only Support Engineers should move tickets to these queues.

Rules say "Move to SE and support-mailinglist", but normally i would not move any mails to a mailinglist.

If I see a general question I would answer this from SE-queue (or the other queues) directly to the member ... and copy my part of the answer together with the question (anonymized) manually to the mailinglist (which is not easy in my environment ).

According to our rules Triage should not answer (... but Joost and I are working to change this ... ).

---

• CategorySupport