Service Desk emails susceptible to spam. Change to unique address to combat and make feature more valuable.
The Service Desk email feature is great, but will quickly become a spam target. An attacker only needs to do some general API requests, and could quickly derive the Service Desk email addresses for every project on GitLab. They then could spam every repo, in hopes of hitting anyone who has the feature turned on.
The new service desk feature is fantastic, but as stated in the disclaimer/notes when flipping it on, if this email address was to fall into the wrong hands (such as a mailing list), the entire feature would quickly become useless. Especially since the way in which the address is derived based on the group and project name, it'd be trivial to determine the Service Desk email for any project on GitLab.
It would be awesome for a service desk email to contain a unique key, that would be regenerable. This way, if this ever happens, we could just delete the old address and generate a new one.
For example, the current structure is:
I would recommend this change to something like:
Then add a delete/regenerate button to the UI, which would create a new address with a new unique key at the end.
This would lead to less clean looking email addresses. However, for anyone who cares about this, they could create a new mailbox/forwarding address on their own domain, then have that email address forward to the GitLab service desk account. If a key was regenerated, they'd only need to update that forwarding address.