Do not disclose dqs api key in default rule description

spamhaus / spamassassin-dqs

Spamhaus code for the Spamassassin plugin. See https://docs.spamhaustech.com/40-real-world-usage/SpamAssassin/000-intro.html

Apache License 2.0

54 stars 15 forks source link

Do not disclose dqs api key in default rule description #65

Open photoninger opened 9 months ago

photoninger commented 9 months ago

remove $prs->{zone} from default rule description. zone contains the DQS API key.

ricalfieri commented 7 months ago

are you using the report template in emails that the end user receives? because the disclosure would only happen if you run "spamassassin -t" or, probably, if you use the report_template.

in that case it would be probably more useful to substitute the zone with, at least, the hash of the listed component, for debugging purposes

photoninger commented 7 months ago

Only admins get reports from spamassassin. But others might also send reports to end users and if they don't configure a description for the checks, their DQS API key might leak. In my opinion it is better to prevent such mistakes. And in the case of HBL there is only one zone which is used, so there is no need to use the zone name in the description.