Purpose

The Mission of Triage Team is:

some amplification:

This page documents the various incoming acts and resultant outgoing acts. It is intended to be the triage team's primary resource, the starting point.

The general concept of triage is defined on wikipedia. Triage Team is part of the overall Support Team.

The Picture

The task is to look at each email coming into support@ and to pick one of several places to send it. These places are called channels or buckets. Together, these are shown as Queues in the system. The below is a summary (not exact):

               /----> SE   ... support engineers ("Support Engineers" queue)
              /
             /
             |   /--> help ... help team (mailing list cacert-support)
             |  /
             | /
  triage team ------> disputes ...  case managers  -->  arbitrators
             |\
             | \
             |  \---> meta ... stuff related to support, but not a support case
             \
              \
               \----> buckets ... visible/searchable by SEs

The Channels

Triage is about selecting the right place. There are several channels available to you.

Both on the cacert-se@ mailing list and IRC private information should be removed because there are people who don't belong to the Support Team reading these messages. If you want to talk about a certain case, you can post the ticket number instead of forwarding the content, you can also add internal notes to a ticket. If you absolutely need to share private information you can write an email and send it directly to each Support Engineer (encrypted).

A channel is a place where there are CAcert people ready and waiting to receive your forwards. Channels are generally served by the issue tracking system. In these pages we talk about channels at the conceptual level; it is a separate subject how they are served in reality (you have to figure that out).

Channels are also to be defined at a high-level in the SecurityManual.

The Buckets

There are also several places for low level and bulk stuff, seen above as buckets. These should be visible to SEs for analysis, but there isn't necessarily anyone looking at them. Mails are stored in buckets until they are needed.

Filters

Buckets are sometimes automated and sometimes not. The filters set up in OTRS are very strict so there should be almost no false positives, but that also means that there are mails where the filter doesn't match but which belong into one of the filtered queues.

OTRS

In the Support Team we use the OTRS ticketing system to keep track of mails sent to support@cacert.org. The buckets and channels described above are mapped to queues in OTRS. A detailed description of the use of OTRS within support is found in the support handbook chapter ORTS.

Queues & Tickets

Initially all mail that couldn't be added to an existing ticket or automatically sorted by a filter pops up in the "Triage" queue waiting for you to move it into the desired queue. You do that by selecting the queue you want to move the ticket into from the drop-down box "Change queue" in the ticket and clicking the "Move" button, it's as easy as that. To see an overview of the open tickets in another queue you click the name of the queue on top of the page, the number in brackets is the number of open tickets in that queue. In many cases the email text is longer than shown in the overview. To get a more detailed view you click the "Zoom" link in the ticket, which shows the full text and a some more options than in the overview.

Closing & Searching

In some queues (e.g. Returns and Junk) the ticket should be closed if you have moved it into that queue. You do that by clicking the "close" link in the ticket, giving a short (for the standard cases it can be really tiny) reason why you closed the ticket, and zhen clicking "Submit" in the pop-up window. A closed ticket doesn't appear in the overview of the queue (you can't delete tickets in OTRS but closing them hides them, to avoid the out of view out of mind phenomenon only close tickets which don't need further processing – be careful). If you want to see a closed ticket (e.g. because you unintentionally closed it) you can use the search function on the very top. There you select the queue you want to search in the "Queue" list, leave everything else unchanged (if you want to specify additional criteria you can do so of course) and hit the "Search" button on the bottom.

Forwarding

Some channels (e.g. cacert-support) require that you manually forward the email to the channel (e.g. a mailing list) before closing it. To do that zoom into that ticket and click "Forward" (below "Article" on the right side), fill in the destination in the "To" line, maybe edit the text (e.g. to remove private information or tell the receiver that the one who initially sent the email is not subscribed to the mailing list so he has to send replies directly) and click the "Send mail!" button.

Bulk Action

You will notice that sometimes there are many tickets which need the same action performed on them. To save you some work there's a powerful feature called "Bulk Action". To use it mark the check boxes of all tickets you want to process simultaneously, then click "Bulk Action at the very top. In the next step give a short description of the reason for your action, select the state the tickets should get (e.g. "closed successful" if you want to close them) and the queue you want to move them into (if you don't want to move them, just leave the drop box at "-"), finally click "Submit". Be careful with this feature "With great power comes great responsibility."

Play with it

If you want to get a feeling for how OTRS works you can send an email to support@cacert.org with the subject and text indicating that this is a test message so the other Triagers and SEs leave it to you. Then experiment with the resulting tickets. If you have further questions just ask on one of the meta channels (i.e. the cacert-se mailing list or the IRC #se channel).

The classes of Incoming Mail

Miscellaneous

Forwards

Disputes

The Bat!

CSR mails

Returns from MAILER-DAEMON

If a ticket is send from MAILER-DAEMON you need to check wether it is just information that could not be transported or if it is a support related item.

To check this open the ticket and use the plain text view of the ticket.

Search for the second subject entry in red. There you will find the subject of the original mail.

Decide weather is just a information eg. your certificate is expiring, move it to Returns otherwise move it to SE

To Join Triage

Contact the T/L who will start you on the track.

  1. You need to be an Assurer. This is because some of the things that you do will be relied upon by others; it's a responsibility.
    1. CARS or CAcert Assurer Reliable Statement.

    2. To be part of Triage, you acknowledge / agree to Security Policy, as a dominating document. You don't need to know it, but you do need to respect it.

  2. Read and understand this page of notes.
  3. Make sure your IRC access is good.
  4. Get your certs into your MUA / mail client and browser.
    • a CAcert CommunityEmail address is useful because email is protected point to point.

    • or you must send all the work in Encrypted form (latter probably not working yet).

Appendixes

How to find out whether a message is spam

  1. The sender of the message is forged (see "Plain Format"); the sender in the envelope (1st line) differs from the From: field lower, and the sender is not *@cacert.org.
  2. The To: field, or the addressee of the message differs from *@cacert.org (frequently support@cacert.org); the addressee is completely missing or reads as "recipients", "undisclosed recipients", "undisclosed", or that field is missing.

  3. The message apparently don't request a support, rather it offers goods (drugs, medicines, Viagra,...), services (holiday accommodation, web cooperation, loan), requests help with (fake) money transaction and offers reward (Nigeria's "Barrister" spam), heartbreakingly pleads for succor, or announces that you've won a (fake) lottery.
  4. Thus, all messages with "lottery" in their subject, should be treat as spam.
  5. In doubt you can look how that message was treated in the past, if the message was received repeatedly (click CustomerID on the right side).
  6. Some spam messages repeat as exactly equal, other have the same Subject, but seems to be sended by different senders (usually spammers' victims), also the text of the message is the same.
  7. Popular phishing tricks:
    • the attachment, says message, is suppose to be an invoice, delivery note of FedEx, Wells Fargo, etc., but it is a virus;

    • links to suspected websites (no FQDN, but an IP-address only),
    • elicitation of private data as the name, date of birth, address of residence, credit card number, e-mail - under a threat, as deleting or disabling your mailbox by closely unspecified (and non-existent) administrator.
    • threats of spreading spam, child porn, videos showing violence; but if you respond, you will become a victim: they may do just that under your address.
  8. Offers of cooperation or reports of monetary donations must be considered very carefully. Recently (2020), spam has increased, which seems to offer help with redesigning the CAcert website, increasing its visibility in search engines, offering an increase in the number of clients, video clips, voice control and the like. Such spam message looks real, if you see it for the first time; it has no attachments or links - its purpose is not clear, until you find several such, exactly the same messages during few seconds to 24 hours. The goal of such spam is probably to get a working email address. I recommend sending SE isolated cases.
  9. [Aleš Kastner]

Dirk Astrath's comments

on using queues, 2016

Blocked Accounts

Normally it's not allowed for SE to block accounts. Unfortunately (at least) on of the previous supporters blocked accounts for different reasons. Some of them are documented in OTRS within an open support case. These are moved to the "Locked Account" queues. We may need to hand over these cases to Arbitration later.

Let me explain the queues how I use them currently:

Arbitration

This queue is for open arbitration cases, where Support has to answer arbitration or add a ruling to precendents cases. Every question from arbitration/case manager should be moved here, no matter of the type of arbitration case.

Certificate Problems

Currently this queue is for everybody, who complains about "Firefox/Chrome/... complains about my new certificate". This queue can be answered as soon as a statement is written (I would add the MD5-resigning and NRE-stuff to this text). Maybe we can move queue to Triage later ;-)

Delete accounts

For mails from users about account removal.

Locked account

Temporary queue until we can move these support-cases to arbitration

New points calculation

May be interesting again as soon as we have the new points calculation in place. (currently empty)

Pending for action

Waiting for answer/ruling from arbitration/member, policy change/...

Requested passphrase

"I can't login" ... If in doubt, simply move to "Support Engineers" queue ... currently there are not so many mails ... ;-)

TTP

is for "Trusted Third Party" ... but I don't know if there is somebody active there ... ;-(

Organisation Assurance

... this was handled by Marcus before, I try get in contact to Benedikt to pre-handle this ... ;-)

Disputes

will move tickets out of support to Arbitration.

From my POV [point of view] "Organisation Assurance" and "Disputes" should not be targets for Triage. Only Support Engineers should move tickets to these queues.

Rules say "Move to SE and support-mailinglist", but normally i would not move any mails to a mailinglist.

If I see a general question I would answer this from SE-queue (or the other queues) directly to the member ... and copy my part of the answer together with the question (anonymized) manually to the mailinglist (which is not easy in my environment ;-) ).

According to our rules Triage should not answer (... but Joost and I are working to change this ... ;-) ).


Support/Triage (last edited 2020-11-26 16:54:37 by AlesKastner)