On 2025-02-13 at 06:28:15 UTC-0500 (Thu, 13 Feb 2025 11:28:15 +0000)
Marc <m...@f1-outsourcing.eu>
is rumored to have said:
I was wondering if it could be interesting for spamassassin to get
also into the business
No, never, not at all.
SA is NOT a business. we are not "in the business" of anything.
of scanning for personal/sensitive data. Maybe as a separate project?
SA is not fit for such use. The job is entirely different than detecting
spam.
Personally, I find that problem space uninteresting, but that's just me.
I have the impression there is growing demand for "personal
identifiable information" services. I have the impression that such
scanning is really close to the stuff spamassassin is already doing.
Not really. SA operates on email. It is designed only for email.
If you don't want to send *email* with PII, just don't. If frequently
seen data patterns in *email* is not your problem, SA cannot be your
solution.
If you want to handle data transfer that is not using discrete
RFC822/2822/5322 email messages traveling via a predictable and hookable
path, you need some other tool. I don't even see how one would use SA as
a basis for a tool to find PII in anything, but the problem is deeper
than just not having suitable rules.
No idea if there are already such open source projects.
Every commercial product I've seen in for doing this is worse than
nothing, because they all claim to catch surreptitious transmission of
PII and all fail as much as they work. I don't believe it is a feasible
class of tools, but rather a way to extract money from people who don't
really understand the problem.
As such, I doubt that there are or ever will be worthwhile open source
tools for this sort of scanning. No tool can cure human carelessness.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
