87 comments

[ 2.8 ms ] story [ 158 ms ] thread
Oh my, that goes against so many EU regulations
I've received several instances of spam to the public email address I have listed in my unused GitHub account. I've reported it to GitHub plenty, but I've never received any response.
...It's public, what is GitHub supposed to do about it? Hide currently public views behind a signup-wall? And how much would that actually achieve in practice? Should they start requiring phone number validation and ID for signups?

I suggest using a fake, or at least a dedicated, e-mail address for commit messages. If you are talking about the e-mail in your GH profile, you can mark it as private in settings. Or use their built-in function to mask it (they will replace it with an address under their domain and forward incomings to you).

There are many valid complaints about GitHub but with regards to this I think they've done what they can already. If you don't want spam to your address, don't put it in public. It will be scraped.

OP put their e-mail in cleartext, unobfuscated, in their profile. The blame is on part of the spammers. Countermeasures should be done by OP (and their e-mail host), not by GH.

> It's public, what is GitHub supposed to do about it?

What thought processes went into asking this question? You are the person who commented on this same topic that "scraping and processing e-mail addresses associated with GH handles could be a regulatory violation without even sending anything[...] It's certainly against GH ToS".

To state what should be the obvious here: when GitHub goes through the effort of writing an acceptable use policy, and I have evidence that certain users/orgs are sending out spam despite that, then I expect GitHub to, you know, actually investigate and do something about it using the leverage that they have, e.g. by ultimately suspending the accounts of the spammers if they don't knock it off.

> I suggest using a fake, or at least a dedicated, e-mail address for commit messages.

I'm not talking about commit messages.

> If you are talking about the e-mail in your GH profile, you can mark it as private in settings.

That's the default. I have deliberately gone through the effort to make it public so that people who are making acceptable use of GitHub can use it for what it's there for—not for people who aren't to abuse it.

> There are many valid complaints about GitHub but with regards to this I think they've done what they can already.

Bullshit. To set up an intake form for people to report abuse and then never act on reports of abuse is not doing "what they can". (If nothing else, then take the damn form down so I can cut my losses at the time I've wasted dealing with the initial receipt of the spammy stuff and I don't additionally waste even more time reporting it on the belief that they're going to act on it and so that it to save other people time in the long run.)

Consider that a malicious party could send spam posing to be someone else, in order to have their account taken down. Really proving that is possible (assuming the sender has done proper setup of their DNS records or utilizing cryptographic signatures) but resources in verifying that is going beyond what I think we can expect.

Regardless, even if Github did take the sender account down and you removed it from your profile, your e-mail address is most likely on lists used to send spam not linkable to GH accounts and will continue being so for a long time moving forward. Whomever you're reporting is just a drip in that ocean.

Spam is frustrating and illegal but you're barking up the wrong tree.

> Consider that a malicious party could send spam posing to be someone else, in order to have their account taken down.

Yeah, that could happen—under two conditions: (a) if that's what actually happened here, and (b) if GitHub's process for handling abuse reports were so bad that they went from receipt of abuse report to immediate suspension. But neither of those are relevant to anything being discussed here—only to contrarians with but-what-if imaginations.

> your e-mail address is most likely on lists used to send spam not linkable to GH accounts and will continue being so for a long time moving forward. Whomever you're reporting is just a drip in that ocean.

I know how big the ocean is, thanks, and you make a lot of assumptions. Consequently, you have no idea what you're talking about (which makes your un-self-aware remark about "barking up the wrong tree" doubly annoying).

Every commit I author is signed with a single-purpose email address tied to the repo that I'm committing to. The email address I have listed on my GitHub profile is a different address further still. I have received close to zero spam to any of the addresses I've signed commits with. (I'm pretty sure it's actually zero.) Meanwhile, a substantial chunk of all spam I've received across all sources is from dum-dums scraping the address listed on my GitHub profile page and trying to promote their junk. It used to be close to a majority, which only changed due to a recent (COVID-era) uptick of spam coming from other sources—and because I took my profile down by deleting my account. But even most of the non-GitHub-originating spam is obvious spam that already automatically gets flagged and filtered accordingly.

> Spam is frustrating and illegal but you're barking up the wrong tree.

I'm going to repeat what I said before: my expectation is that GitHub takes their own acceptable use policy and reports of abuse seriously. Want to go into detail how that constitutes "barking up the wrong tree"?

I can only conclude by the contradiction between your general position in your your reply to me and your comments elsewhere about GitHub ToS violations that you're mostly here to argue, though, so don't be particularly surprised to find that this is my last response to you.

GitHub are free to forbid something on their platform without being on the hook for consistently enforcing it and processing every abuse request. They have made no promises to do so AFAIK. I see no contradiction there.

Generally, I do not think that platforms should be regulated (as has been proposed in some places) to be legally responsible for all actions of users on their platforms.

Separately from all that, if you expect fairness, individual attention, and consistency from Microsoft, I stand by my case that you are barking up the wrong tree.

> OP put their e-mail in cleartext, unobfuscated, in their profile. The blame is on part of the spammers. Countermeasures should be done by OP (and their e-mail host), not by GH.

According Github's site policies [0], they've explicitly outlawed this type of behavior meaning it's their responsibility to police and enforce this by punishing users on their platform who they find to be engaging in it:

"You may not use information from the Service (whether scraped, collected through our API, or obtained otherwise) for spamming purposes, including for the purposes of sending unsolicited emails to users"

[0] https://docs.github.com/en/site-policy/acceptable-use-polici...

If you publish your email on your profile, aren't all emails basically solicited? What other purpose might posting your email on your profile have other than for people to reach out without you explicitly asking for it?

If you want to be selective in what people email you about, you can always move your email to your personal readme with further restrictions.

"People reaching out" is fine. "Automated bulk email" is not.
(comment deleted)
The title of the post is addressed to everyone who reads it.
Collective action? On my open platform? It's more likely than you think.
Many HN users love to promote this kind of hustling/growth hacking behaviour as shown in the post, so I think deserve a periodic reminder of how it's recieved on the target side to dissuade people who do make those decisions from going too far.
> mild anti-social behavior

Interesting way of spelling "illegal misuse of personal information under GDPR".

That only applies if both the sender and receiver are in the EU.

It's probably also illegal to own a business at all in North Korea, but that law also doesn't apply to either person in this situation.

> That only applies if both the sender and receiver are in the EU.

I'm under the impression that GDPR Article 3 (2) does apply in the case at hand, which is marketing emails sent by a US company to an EU resident.

> mild anti-social behavior

Spamming on a large scale is more serious.

> can be handled directly more efficiently?

How? (I have no time and money to sue them)

I really like the spirit of "fighting back" here, by making this grievance public.
Would love github to add social features to opt-in to communication from maintainers. There is no good way today to email changelogs to your users.
They will if they subscribed to your repo's new releases (with GitHub's "watch" function)
The problem is that this subscribes them to everything.

I used to use watch but I could care less about every individual commit on anything other than projects I'm actively working on.

Watch is not a good substitute for a way to learn about important changes on an infrequent, regular basis (i.e. once a month emails).

Try clicking the watch button now. It changed a while ago, and you can narrow it down to certain events (releases, commits, issues, PRs, etc.)
Gotcha that's a good improvement. But this still only works by showing a visual change in your feed at the time of the release. What if I care about software but don't spend all day on Github's logged in homepage/activity feed?

Email is the only reliable way to send/receive important updates for any meaningful project.

You get an email if you subscribe to releases.
Huh, I see releases in the Github UI and I never get release emails. Maybe I have an email filter I forgot about.
You need to change your notification settings in GitHub. Maybe sending you a email of new notifications is not the default option.
Yes this is frustrating. I just changed my repo's first few lines to suggest subscribing to the mailing list rather than being an intro to the project. I've seen that a few times before and used to think it was weird. But now that I've got updates I want people to know about I'm more interested in just making sure people who are interested have access to info.
Email changelogs? WTF? Is there not RSS for releases, that people can subscribe to if they want those kinds of notices?

[EDIT] Answer appears to be "yes, there is" (append ".atom" to the releases URL for a repo) with the caveat that the handling of pre-releases is less than ideal.

As somebody who likes to assume good intentions, I would have hoped your second attempt at unsubscribing was to send a polite, nonadversarial email asking to be removed from the email list you never willingly joined. Assuming that fell on deaf ears, I can understand where you're coming from.
My nonadversarial action was to ignore the first email, that's all the consideration I am willing to give. The onus is not on me to politely ask to be removed from anything.
You gave more consideration than was deserved. I would have flagged the first one as spam.
Oversimplifying, but an unsubscribe link is a legal requirement under many different laws (CAN-SPAM, GDPR, CASL) for this sort of email. It's 2022, unsubscribe links are a solved problem, I'm not going to assume good intentions for somebody who is purposefully breaking the law in order to spam me.
> polite, nonadversarial email

Spammers are not entitled to private and nonadversarial communication.

Note that in numerous jurisdictions both sending spam and not including unsubscribe link is actively illegal.

> I would have hoped your second attempt at unsubscribing was to send a polite, nonadversarial email asking to be removed from the email list you never willingly joined. Assuming that fell on deaf ears, I can understand where you're coming from.

No, absolutely not. You put an unsubscribe button in the footer of the email or I'm marking it as spam. That's _entirely_ on you if you don't do that.

With or without an unsubscribe link, I'm marking it as spam and blacklisting you and your service.
If the unsubscribe link requires me to sign in, or pressures me into not doing "Why do you want to unsubscribe? I never signed up. Don't you want our new offers? yes/no", you're also getting the spam report
SPAM is defined by the recipient. Expecting a polite "please unsubscribe" email is inappropriate.
That and 2 emails hardly constitute as "spam". Sure, unwanted but the guy on github and other people in the comments here act like the dude kicked a dog. People need to chill and get some real problems in their life to concern themselves over.
This is absolutely spam. Sending not just one unsolicited message but a followup nagging you for not replying is absolutely spammy behavior.
A single unwanted email is spam.
That is too much - it would need to be automated or mass send ("unwanted email" includes also things like contact attempt by disliked person which is not spam)
I think reasonable legal threat is the correct way. The spammers don't deserve anything less.
I don't assume good intentions and neither should you. If some entity emails me in an automated way without my permission and without any way to unsubscribe it's going straight in spam and being reported to any abuse/spam mechanism that's appropriate.

I get the hustling nature of HN, but this behaviour crosses a line and breaks laws in various juristictions. I don't feel the need to politely explain this to people.

That's emotional labor and investment to do for something that was unwanted and not opted into in the first place. There's laws in place that make it mandatory to opt-in and to easily unsubscribe from unwanted emails simply because being nice about it didn't work.
(comment deleted)
Um, am I the only one who had no idea that my Github stars are public knowledge? I don't see anything about this in the documentation or on my stars page. Can anyone see this, or just the admin for the repo that I starred?
Stars are public - navigating to any GitHub profile and clicking the 'Stars' tab shows all the repositories starred by the user. Moreover, all users that have starred a repository can be viewed by appending /stargazers to the repo url or clicking the stars link in the sidebar.
More importantly, there is an API endpoint for /stargazers.

If you really wanted to get GitHub data in bulk for illicit purposes and you know how to work with big data you can get it from the GitHub Archive but that’s a topic for another day. (Although it may not have user emails)

Any ssh pubkeys you've entered into your github account are public too, just FYI.
It's not only public but new stars appear on the creator's GitHub news feed when they happen, with username included.
Like you, I definitely started starring repos before I knew these were public, years ago.

I’ve never quite understood why there isn’t a private way to bookmark repos.

(comment deleted)
Hey folks, Joel here, I'm the original maker behind browserless. You've seen us before on HN -- I'm very sorry for this situation.

We didn’t intend to SPAM you or send unsolicited emails, we just wanted to ask for feedback. Being an open-source/boostrapped service, feedback is really important for us, so that’s why we thought it might be a good idea to reach out to people directly. But now it's clear that that was a wrong decision. We stopped doing that and won’t do it again.

Sorry, it won’t happen again.

I guess now that you read through the comments, you learned this lesson. As someone who agree with the harsh ones, I appreciate your apology and being forthright about it.

For the future, you can utilize the tools given in GitHub - add a link and/or call-for-action in docs/README/release notes, pin an issue, Discussions.

Depending on your jurisdiction, status, and purpose, merely scraping and processing e-mail addresses associated with GH handles could be a regulatory violation without even sending anything. It's certainly against GH ToS. You'd do best in ensuring you wipe anything acquired without consent.

This kind of thing was seen differently in the 90s and early 00s. Times change.

(comment deleted)
Hey man, I believe most of us here know how hard it is to bootstrap something and lift it off the ground. From my side, I admire your product, and I admire the hell out of the fact that you've open sourced it. Which is why I would have totally been fine with just the first email, but the second one pushed it from "start-up founder struggling to get momentum" to "spammer that won't leave me alone". You were just too aggressive about it, but I do think the way you're handling it now is great.

There's one thing I'm honestly curious of, because I've seen this technique before, and it's not necessarily a question to you, but to anyone who might read this: do these pretend-personal emails actually work on anyone? Your product is targeted at users with a pretty high technical skillset, do you think they really believe you hand-wrote that email? Because I could smell the automation right away, even before I checked the message source and saw the HTML structure and the tracking image. It's fake, it feels fake, and to me it's actually worse than an openly-automated message, because it insults me by assuming I can't tell it's not sent by a human. I think perhaps tactics like these work better on less-technical people (though they still shouldn't be employed at all!)

Talked about this on another community, here’s a hilariously sad example of these fake “personal” emails

I was once gone from home for two days traveling with family. Two days. HBOMax sent me an email with this exact subject line (edit: I went and checked through my past emails before unsubscribing, they sent four emails with the subject line over the holidays):

“I can’t help but wonder why you aren’t watching” as an attempt to inform me about the latest series that was now on the platform.

Why? Because I have a life HBO that doesn’t involve you lol. I do other things with my time. I’m not addicted to television. Like come the hell on. I’m already a paying customer. Get out of here with this “why aren’t you wasting more of your time on our platform?” BS

I feel genuinely bad for whoever had to write that, and worse for whoever thought it was a good subject line for ad copy.

Those types of emails are usually a reminder to me to cancel whatever it is they're bitching about.
If I were the only person using it, yeah probably. As it is, with a household of other users, it’s staying for now but I still really enjoy thoroughly mocking HBO for it whenever the chance allows.

At least the emails are no more.

I used to order monthly coffee nespresso pods from a small-time online store. One time I put the items in the cart and then stepped away from the computer for a short bit only to return to an email with the subject line "Looks like you’ve forgotten something!" displaying the items in my shopping cart. I haven't ordered another thing since.
I can see how those ones may be effective, but they need to give me a coupon at the same time ...
There's a fine line between "you aren't using the product you paid for" and "we want to make noises about the choices you're making". Blurring that line doesn't help anybody, false pretenses makes it worse (because "oh they were just hustling, they aren't really surveilling your viewing habits").
Could have been resolved with a "unsubscribe from this email" link included on the first email.
Thanks for that -- we did have quite a few good conversations over emails. I did read each personally and respond to them. Didn't justify the means.
I don't understand how you can say "we didn't intend to... send unsolicited emails... " when this is literally what you did. It is very clear that you did actually intend to send unsolicited emails, because you sent unsolicited emails and have just given your reason for sending unsolicited emails. You are not being honest with yourself or others by saying this.
We didn't (intend to spam you) or (send unsolicited emails). Works? In dubio pro reo.
Meh. I don't think there's anything ambiguous about the fact that they consciously sent unsolicited emails for what they've admitted are essentially marketing purposes. That they didn't think there was anything wrong with this, and didn't consider that this would be viewed as spam, I'll concede. But that just makes them ignorant / naive / unethical (take your pick). I don't think this is a hanging offence, but I do think that their "apology" is at best an exercise in self-justification.
I think you're being overly apologetic here. This entire discussion is an excessive amount of mindshare for receiving a single email or two. I regularly get email I don't care for. I deal with it. I don't think you're a bad person for sending 2 emails. This is the internet making a mountain out of a molehill. In a week, the pitchforks will move onto something else.
Hey man don't worry too much. It's usually just the vocal one percent, some of us get annoyed, some of us have the world seemingly fall down around us when a "spam" notice arrives.
> we just wanted to ask for feedback

Create a pinned issue with title "We ask for feedback"

I really don't like this apology.

> We didn’t intend to SPAM you or send unsolicited emails, we just wanted to ask for feedback

You _did_ want to send unsolicited emails, that's exactly what you did. You saying you didn't want to send spam, and hiding what you did intend to do behind "we didn't intend to spam you" is burying the lede.

> Being an open-source/boostrapped service,

Being bootstrapped is not an excuse for sending unsolicited marketing emails. Hiding behind being "open source" when you're actually a commercial offering with an open source repo is _again_ trying to hide what you did.

> But now it's clear that that was a wrong decision

It's only clear after someone called you out on HN and flagged your repository as abusing the terms of service?

The README page has an embedded demo.gif which is 24.8 MB (just in case...)
I think the bigger problem is we preach user feedback as the holy grail of product growth, but it's hard to do so when you fully respect privacy (i.e. no sign ups).

For example, when I built https://github.com/pdepip/mmap.it I made the conscious decision to not require any log in information but quickly found I was unable to find who was using my product and then ask them for feedback - so user led development stalled.

You can ask for anonymous feedback directly in the app instead of emailing users.
Ctrl+F forum, mailing list, email, @ etc. all 0 results

GitHub discussions not enabled on the repo

> https://mmap.it/

404 Page not found

The way to get feedback without being obnoxious is to provide ways for users to give you feedback on their own terms. Bonus points if you build a community where you can ask questions as needed.

Create a pinned issue with title "We ask for feedback"

Mention it in the Readme.

I feel that part of the problem is that we now have a "notoriety economy." Social media tools have "gamified" the process of interacting with each other, so we're constantly looking for "high scores," and actually become dependent on them.

For myself, I have very few stars on my repos (the one that got a bunch has been passed on to a different team, and I'm happy to have it off my table).

I'm totally fine with that. I write software for myself. Publishing it as shipped, supported, documented, and tested product is more an exercise in Quality, than it is an effort to get stars. The fewer people that depend on my stuff, the better.

I think they came down to harshly. Somebody stepped over the line a little too far and they stomped on his dick.

This is not the way.