Tell HN: YC companies scrape GitHub activity, send spam emails to users

Posted on by newsflashtom
Tell HN: YC companies scrape GitHub activity, send spam emails to users

Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It’s a game of whack-a-mole for sure, and it’s not just start-ups that take part in this sketchy behaviour to be honest. I’ve been plenty of examples in my time across the board.

The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It’s against our terms of service and those folks might want to talk with some lawyers about doing it – but as every Git commit contains your name and email address in the commit data it’s not technically difficult even if it is unethical.

From the early days we’ve added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your ‘no-reply’ email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema…

I think that’s still probably the best route. We want to keep open source data as open as possible, so I don’t think locking down API’s etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it’s definitely a balancing act. Love to know what folks here think though.

I don’t have any specific suggestions, but I do want to give thanks for implementing functionality to block pushes if the email field is *not* using an anonymized mail address.

It’s one thing to offer anonymous e-mail addresses, but it’s also awesome that GitHub can help prevent mistakes that would otherwise leak a user’s e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don’t, so it’s nice seeing this little feature exist.

I am also getting constant spam because apparently they can see who starred a repo (i.e. I see you starred repo x and we are doing something similar). I am not starring anything anymore.

Hey, Martin – https://github.com/lucidrains

Mind fixing lucidrains account? Something happened without notice or recourse. He’s one of, if not the most well known open source AI researchers on the planet, with implementations and explanations of papers and ideas that are wonderful. If you could bring some sanity to that situation and take it out of whatever kafkaesque account purgatory it fell into, you’d be doing the work of angels.

Thanks!

What was happening with this account? I was often seeing popular but empty (only title of the paper and maybe a short readme) repositories that were created directly after a paper was published?

I know it is against the ToS. I’ve reported multiple organisations doing this. Last time I reported one, support closed the ticket saying the activity is off platform so they can’t do anything.

Maybe I am missing something, but can’t you simply not show the email address in a git commit? (Sincere question, not saying this is trivial. i am dumb and like to ask dumb questions even if might be embarassing)

If someone wants to message someone, it goes through github notifications or github emails them

Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc

That would be a fundamental change to how Git works, not just GitHub. Even if the web UI didn’t show it, a simple `git log` would reveal it.

You can mask your email address in git commits but a lot of open source projects won’t accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they’ll give you access to the GitHub repo (looking at you Unreal Engine!)

So, no, I don’t think they could simply “not show the email address”.

fyi, you can also see the author email by appending “.patch” to the end of a commit URL

Git commits have a email address as a required field[0], although some people put something bogus in there. And then it’s in the data provided when you clone the repo onto your machine even if you aren’t using the GitHub APIs.

To his point, you can set that to the no-reply email address GitHub gives you if you don’t want mail but do want the commit to be linked to your GitHub account.

[0]: https://git-scm.com/docs/git-commit#_commit_information

Are no-reply emails associated with the accounts if the username is changed? That’s one reason why I switched back to my personal email.

I’ve had more than a few instances of this over the past 2 years, and my reply is exactly the above.

“What you are doing is against Github’s TOS”

Nice, thank you Martin. How do you punish the fraudsters? Do you send them to prison over CFAA violation terms of service?

I kinda wish I had that much power. There would certainly be less people in the world listening to their phones without headphones..

Usually starts with contacting them over email reminding them of the terms of service and warning them to stop. Then their account might get deactivated and they need to write and promise to not be naughty again. If they ignore that then the account gets removed.

There are a bunch of automated checks that are running all the time as well and will take automated action that then gets later reviewed by humans. At lot of times the process is fast-tracked.

The off-platform ‘let’s scrape a bunch of data and then spam nice people’ is the hardest to police. Linking those mails to an offending GitHub account is hard and very manual, also anyone can send emails saying they are someone they are not and because of that anyone can deny they sent the mail and they’ll usually blame a rogue agency they where working with etc.

I probably shouldn’t say it, but the public shame that comes from being mentioned on social, in hacker news etc. That stops people who want to be treated as legitimate from doing that sort of thing and helps educate the wider community around what is and isn’t acceptable behaviour – that is why it’s good to see this thread and see the issue getting attention.

Love the transparency – someone should make you VP of ..uhm dev rel or something! I was being quite hyperbolic in my original comment, however, I _do_ think you are doing the right thing, and you are definitely not the bad guy.

Having said that, there are big corps who have been known to use the CFAA as a way to coerce the long arm of the law upon teenagers and geeks hacking away – not always a great thing either IMO.

> CFAA violation terms of service

This would be a gross miscarriage of justice and bringing successful action under this theory would do widespread harm by expanding the definition of the CFAA.

Just because a company can take some nuclear action, doesn’t mean they should.

Ban them. Honestly I get the same and it is beyond frustrating.

I will pay more for GitHub if you go hard on these mfs.

How would that even be legal? (Although I can’t find such a startup with any kind of search engine)

i am not sure of anywhere it is illegal.

but areas i am familiar with can consider a negative reference to be defamation, thus anyone providing a negative reference should only do so if they are able to defend it (i.e. prove their statement is substantially true, or prove that the statement was honestly believed to be true and published with no malice or reckless disregard).

seems risky, at least, to build a whole business around negative references that could potentially cross the line into defamation. but that type of thinking is probably why i am not rich.

There are many definitions of illegal (criminal, civil, regulatory, the much much looser “license to operate” as used in chemical industry, etc).

A blacklist seems dubious. I’d advise the founders to get counsel on their obligations under the FCRA, which they may be construed to be regulated by.

That said, I believe “Bad News” is an AI hallucination. The most similar company I can find historical news is “Peeple”[0], which was not funded by YC. YCombinator’s only known association with a blacklist that I can find was a blacklist of VC’s that were accused of harassing female founders[1].

0: https://archive.is/r9UQo

1: https://archive.is/17Ans

>There are many definitions of illegal (criminal, civil, regulatory, the much much looser “license to operate” as used in chemical industry, etc).

yes, but i am not sure why this matters here. i am not aware of negative references, in general, being illegal under any of those definitions of illegal.

no one would say regular speech is illegal just because it can be subject to a defamation lawsuit. same logic.

but i agree, if it is a real business, it seems exceptionally risky.

https://www.law.cornell.edu/uscode/text/15/1681d

It’s more than just “subject to a defamation lawsuit” (including class action lawsuits). Although for me, even if it were “just that”, I’d still call it “potentially illegal”. Rather, they’d potentially face FTC penalties and CFPB enforcement actions under 15 U.S.C. section 1681d(a), (b).

This law would likely classify such a company as falling under laws pertaining to “investigative consumer reports” under FCRA. This is any report on someone’s “character, general reputation, personal characteristics, and mode of living” used for the purposes of employment, loans, housing, etc.

> A consumer reporting agency shall not prepare or furnish an investigative consumer report on a consumer that contains information that is adverse to the interest of the consumer and that is obtained through a personal interview with a neighbor, friend, or associate of the consumer or with another person with whom the consumer is acquainted or who has knowledge of such item of information, unless—

> (A) the agency has followed reasonable procedures to obtain confirmation of the information, from an additional source that has independent and direct knowledge of the information; or

> (B) the person interviewed is the best possible source of the information.

They’d find themselves subject to legal penalties under:

FCRA Willful Noncompliance (15 U.S. Code § 1681n) (if they did not disclose their existence/use/content of reports to employment candidates)

FCRA Negligent Noncompliance (15 U.S. Code § 1681o) (if they made somewhat reasonable but insufficient efforts to comply with the FCRA)

or

Administrative Enforcement (15 U.S. Code § 1681s)

and be subject to fines up to $4,700 per violation plus actual damages, plus punitive damages, plus legal fees. State Attorneys General can also bring FCRA lawsuits on behalf of their constituents, not just the federal government. FTC / CFPB can name the founders individually in the lawsuits, not just their corporate entity, and ban[1][2] them from operating any similar businesses in the future.

That all said, to some extent, YCombinator partners are on the record[3] supporting the idea of their startups sometimes doing illegal things. Generally they’ll frame this as challenging outdated regulations, but they acknowledge that the founders whose strategies they fully support sometimes come into office hours and discuss how they’re worried that the strategy puts them at risk of going to jail.

0: https://www.law.cornell.edu/uscode/text/15/1681d

1: FTC v MyLife.com, Inc., and Jeffrey Tinsley (CEO): https://www.ftc.gov/news-events/news/press-releases/2021/12/…

2: https://www.ftc.gov/legal-library/browse/cases-proceedings/b…

3: https://www.youtube.com/watch?v=Hm-ZIiwiN1o&t=8m46s

ah, okay. so the hypothetical company may potentially be doing something illegal (the “investigative consumer report” part). good to know! that makes sense, and i was unaware of that.

i stand corrected in the hypothetical “bad reference aggregator company” scenario.

>YCombinator partners are on the record[3] supporting the idea of their startups sometimes doing illegal things.

interesting, thanks for surfacing that up! i wont pretend to be surprised, though.

i dont believe that it is illegal to provide a negative reference in the UK, as long as it is honest, factual, and provided in good faith.

from gov.uk:

>”If you think you’ve been given an unfair or misleading reference, you may be able to claim damages in court. Your previous employer must be able to back up the reference, such as by supplying examples of warning letters.

You must be able to show that:

– it’s misleading or inaccurate

-you ‘suffered a loss’ – for example, the withdrawal of a job offer”

which means, if the reference is not misleading and not inaccurate, a negative reference is ok. other uk-based law firms (from a quick google) agree with this interpretation.

Providing a negative reference is totally different than gathering negative references and selling them. The former could be legal while the latter could be illegal.

for sure!

in my comment, i was speaking more generally than i should have, and that (obviously, in hindsight) caused some confusion between the specific case of the hypothetical company, and the general case of an employer providing a negative reference. my bad — and it is too late to edit to provide clarification.

No problem, I wasn’t very clear either! I remember someone I know looking into this in the early 2000s as part of a wider collective thing. It’s long enough ago that I can’t remember the details but it was definitely less about a poor reference and more about the individuals’ being on a list somewhere without having even applied for a job. And come to think of it, it’s probably even more illegal now because of GDPR.

I can’t find any website for it. Are you sure it’s not just some posting category on Bookface, YC’s internal social network?

GPT:

There are some mentions online of a Y Combinator startup called Bad News, but nothing official or well-documented shows up in public YC lists or press — at least as of the latest searchable sources.

The only place it’s referenced is in a Hacker News thread where someone claimed there was a YC company whose product was a blacklist of employees so other startups wouldn’t hire them, and they said the name was Bad News. But people in that thread couldn’t find any evidence of it, and there aren’t real search results tying that name to an official YC company on YC’s site, their startup directory, or mainstream reports.

I think you missed the second part where I saw it in the YC startup list with a description of what it does and who the founders were. But since it disappeared I had to ask chatgpt what happened. You can ask chatgpt as well there is nothing wrong with that

Why are you obfuscating so much and telling people to use ChatGPT? How hard would it be to paste what they renamed to and/or the founders’ names?

I’ve spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.

Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you’re actively harming your brand, and may as well just send them spam diet pill ads.

Got this spam today on my GitHub address, YC affiliated:

From: henry@joincactuscompute.com

Hey,

I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.

Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.

We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.

GitHub: https://github.com/cactus-compute/cactus

We are keen to get your feedback, and star if feeling generous.

Thanks a million

YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.

I also had unsolicited spam from Vincent Jiang of Aden, another YC company.

    Hi Daniel,

    I just came across your profile on social media and wondered if you'd be interested in joining our Discord community for AI agent development. Currently, we see that agents break, loop, get lost, hallucinate, and cost a fortune, and therefore built a space where developers can share challenges and insights.

…and more from Backdrop.

    Hi Daniel, I found your GitHub profile while searching for anthropic projects, and got your email from your profile.

    I'm part of an online program for builders called Backdrop Build, and I think that program would be a great fit given what you are building. We have a track for builders in AI like you, it's fully online/remote and costs nothing to participate. It also works if you have a day job, it's light on time and perfect for side projects!

And then another after I marked the first one as spam and ignored it.

    Checking in one last time to see if you have any questions about the program or the application. If it's not for you, all good - just ignore the email because I won't be pinging you again :)

   Joey from Backdrop

Both companies have guaranteed that I won’t use their services nor procure them for any organisation I work for.

I had a similar one from that guy asking me to make open source PRs to some repo of theirs for, err, $25-50/hour. I replied explaining that senior software engineers in the UK aren’t quite as desperately poor as that, and got a canned response saying that they were looking forward to reviewing my PRs 😀

But that is someone pretending to be YC which is sort of less interesting than a YC company doing something bad. Because phishers imitate legit companies all the time. Easy to get roped in and I sympathise, anyone is suseptable (today I almost clicked the phishing training email as it looked urgent and pushed the right buttons)

That’s a little creepier than the time I got an email from someone trying to push a new crypto coin to me because I contributed to OSS.

I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.

Their brand has been associated with hacking-around and gaining advantage via rule breaking for a while. Didn’t their founder application at one point ask “Tell us about a time where you hacked some system for your advantage?” At this point, I think everyone knows they’re signing up for dark patterns and questionable practices when they get involved.

I don’t blame you, the FOMO is real to the point even basic ChatGPT wrappers are getting funded these days, I guess.

I’m always interested to understand – what constitutes a basic ChatGPT wrapper?
Is Legora, which is doing very well, a basic ChatGPT wrapper? Because if you don’t view it as one, it certainly started as one.

This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.

I don’t like this way of putting it, it’s good the github API makes this easy as that makes it an useful. Should not try to imply this should be restricted just because of some bad actors. It’s just going to annoy legit users and the bad ones will scrape anyway.

I’m just stating a fact, not implying anything. It’s the good old saying with the sharp knife, it can be used for good and bad.

Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.

Doesn’t YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.

Like every other VC firm, the only thing they care about is money. They can pretend to morals, but they will never sacrifice one for the other in any meaningful way.

Only free individual can have strong ethics. There are no free people in capitalism, money is debt after all. Think of applied pressure once you sign under VC money and amount of brainwashing / gaslighting. I sincerely hope my observation is wrong.

If you are going to go down that road: life is debt, and there is no true freedom. We are bound by the needs of our meat-containers, after all.

I don’t like unfettered capitalism, but when I consider economies that have existed over time, it certainly looks like constrained capitalism affords the most freedom.

I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?

They have this other thing where they reject pushes for the ‘known’ emails you’ve told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one.
is that a feasible thing to ask for?

If you change the email address, you change the commit hash. And yes, suddenly your local branches are orphaned.

Of course, there’s nothing stopping you from using a git-only email address (nospam-6thbit@yourdomain) and routing that to /dev/null. GitHub can’t change email addresses, but you can.

Change your email to something like: myemail+gh@mail.com (the “+gh” tag). You can put any tag/word there, and if you get spam from a company you’ll be able to identify that it came from them scraping your GH. Then you can report it with certainty.

Didn’t AirBnB famously spam people in the Bay Area as a “guerilla tactic” to build the business in its early days? This kind of fast and loose behaviour seems standard.

Couldn’t github replace all public commits author info email by a username@author.github.com email automagically ?

You have to configure your own Git client manually. But you can configure GitHub to block pushes from any email other than the no reply email GH generates for you.

You can’t change anything about a commit without breaking the chain of SHA hashes in the commits, which causes pulls to break.

GitHub hides the emails on their web UI, but nothing stops people from pulling the repository with a Git client and looking at the emails in the commit log after doing so.

Which is why you should be careful to never use your actual email in git commits.

When I made a patch to the Linux kernel I did have to use a real email, since you have to send to their mailing list. I used a throwaway email for it, which I have since edited on my mail server config to forward to /dev/null (yes, I’m one of the weirdos still self hosting email in 2026). The amount of spam I got was insane, and not even developer relevant spam.

My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.

I sometimes use different git/GitHub addresses depending on who I’m working for or specific projects so I can more accurately detect where data is being scraped from.

N.B. Using service-specific emails is trivial – you don’t need separate email accounts. Just use email aliases, e.g. “john.smith+github@gmail.com” — which is an alias called “github” for “john.smith@gmail.com”

A simple regex filter will get rid of that. Now, if you use your own domain and have it configured as a catch-all, then you could do github@domain.tld.

I’m not saying I do this but if I were as smart as I think I am I would have given a Gmail example rather than the example you’ve given to avoid bots just looking up my website and starting to bypass my setup… 😉 😉 😉

Also, spammers generally don’t seem to be going to the effort to apply regex filters to the data they’ve scraped…

I self host email, and I have never gotten spam to any email “constructed” from the domain, other than random attempts to things like “accounting@domain.tld” etc.

But the email I used to interact with the Linux kernel mailing list I had to null route after a while, it got so much spam. I used a throwaway for just that purpose of course, so no big deal.

You’d have thought so, but no, in my experience this works very well. People doing this kind of spamming don’t seem to be particularly bright, nor do they seem to spend any time/effort to clean up their scraped database.

I’m also getting “saw you on GitHub” spam from voice.ai

And they are using a different domain for the emails so the spam markers don’t hit their primary domain.

Maybe a dumb question, but isn’t this trivially solved with this .gitconfig?

    [user]
         name = lordgrenville
         email = +lordgrenville@users.noreply.github.com

Perhaps, but it doesn’t change the fact that this is bad behavior for the company sending the email. Since YCombinator funded this company it makes sense that YC would want to know about how they are conducting business.

Fair point. Pretty sure there is a way to have a few .gitconfig files, with the active one based on the remote URL domain, but it is more work.

General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.

I was also spammed (twice) by voice.ai.

You mention GDPR, which also “applies” to me, though I wonder if what they’re doing is actually illegal. I mean, after all, I’m putting my email on GitHub precisely to give people a way to contact me.

Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they’re doing is, at the very least, in poor taste.

> I’m putting my email on GitHub precisely to give people a way to contact me.

They’re not only looking at the public email in your profile, they’re also looking at your committer email (git config user.email). You could argue that you’re not putting that out for people to contact you.

(I’ve used that trick a couple times to reach out to people, too, but never mass emailing.)

Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers? For last few years I saw they “try” to look legit, by claiming addresses are managed by some Hungarian/Spanish shell company, hoping no one will be able to afford pursuing infractions over borders.

There’s probably a law against it, but I’ve always thought a legal company could make decent money taking cases like this in bulk for free, on the condition that they get to keep all the compensation, while the “client” still gets the satisfaction of punishing the offending party.

On the U.S., only Attorneys General can go after violators of the CAN-SPAM Act.

It needs to be modified like how individuals can go after telemarketers.

> Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers?

A lawyer

I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.

Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).

Sure but these YC spammers are identifiable and have much more to lose https://www.ycombinator.com/ethics/

> Some examples of ethical behavior we expect from founders are:

> – Not spamming members of the community

> To maintain our community, if we determine (in our sole discretion) that a founder has behaved unethically during or after YC, we will revoke their YC founder status. This includes access to all Y Combinator spaces, software, lists and events. All founders in a company may be held responsible for the unethical actions of a single co-founder or a company employee, depending on the circumstances.

> > – Not spamming members of the community

Ah… but there’s the rub.

Define “the community.”

Do random GH accounts count as “members of the YC community”?

Sorry, but unsolicited contact, much as I hates, HATESSSS it, is a classic component of any business, and has been, for many decades. I don’t think it would be appropriate for a business organization to prohibit its members from engaging in “cold calling,” of which, UCE is really an example.

Using the YC branding/name, however, is a different matter.

Over many years, I have got email from university for survey / research.

This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml

This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:

> I came across your GitHub profile and thought you might be interested in what my team and I are building. We’re developing an open source SDK that runs LLMs directly on-device.

What’s even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they’re intentionally registering these “alternate” domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.

I guess I shouldn’t be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.

I’ve received several similar ones over the years. At this point, if I get an email from someone I don’t know and it contains a link, chances are it’s spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved…

> how much bureaucracy would be involved…
it varies from country to country, but filling a complaint on that matter is usually quite straightforward

I usually check the “Received” header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.

These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.

the problem is that the emails arent typically sent from the main domain.

in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.

so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.

I did receive these kinds of emails as well.

And I use a different email fromy priority email for GitHub commits since 4 years ago.

So just stop with marketing slop please.

Yes, I work with AI, and I’m becoming pretty good at it.

But this doesn’t mean I’m comfortable pushing AI slop into potential users and customers.

I (and they) want to use AI to facilitate their processes, not to ingest slop content.

HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.

There’s no reason to put your real email in git config unless you’re signing, in which case repos should be private. I would have thought that was obvious.

I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!

After 25 years on the internet dealing with spam, it would never even occur to me to invest the energy to write a letter to the offending companies investor. But more power to them I’d say!

I feel like spam is somewhat less offensive when it’s for FOSS, assuming it isn’t some faux FOSS freemium scam. It’s about the only spam I wouldn’t mind getting.

> These emails indicate that those companies scrape people’s Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.

There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.

I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.

May not necessarily be from commit messages, there’s at least one way simpler way: simply adding .gpg to the end of any user URL will return that user’s public GPG key.

Read More

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *