Ask HN: Uptick in spam based on GitHub activity

30 points by jamil7 ↗ HN
Has anyone else seen a recent uptick in unsolicited email based on GitHub starring activity? There was a post recently here about Browserless doing this and I recently was added to some marketing list with no unsubscribe link from a local crypto startup which mentioned a repo I'd starred that wasn't even there's. Is this some new growth hacking thing people have been told to do? What can we do to prevent this?

12 comments

[ 0.24 ms ] story [ 36.5 ms ] thread
Supposedly, you can activate "Keep my email addresses private" in https://github.com/settings/emails which should replace your actual email with a GitHub provided relay-address. You can also set that relay-address as your git commit email. It's unclear if the GitHub API will also show that email though, where I think they are getting the emails from in the first place.

What we collectively can do is to send an email to support@github.com every time it happens, with the repositories/email addresses involved in this, and short-term GitHub will remove them from the platform (making it less profitable for them to do so as they'll get removed) and hopefully over time GitHub will improve protecting their users privacy.

I swear I set my email to private on Github years ago, and I just checked and it was not set to private, which definitely explains why I've been getting these emails too.

Thanks for bringing this up, if only to prompt me to double-check my own settings. :-)

When has it ever been a practice to publicly display a users email address?

Shouldn't this be off by default.

The /$user/$repo/commit/$commit.patch endpoint leaks the committers eMail like a git clone+git log would.

Cross check with the github user of the same commits HTML view.

There’s not much more github can do about this because of how git works: git commits form a merkle tree (aka blockchain): each commit is a hash of its contents (including the author’s email) as well as the entire history to that point. When you commit to a public repo, the email you commit with is publicly visible forever unless a repo owner rewrites history and force pushes.

GitHub has an option to create web commits with private non-routable emails and to block pushes you inadvertently attempt which include commits made with your public email that you choose to keep private.

Filtering existing emails from the API wouldn’t work since scrapers can just as easily clone the repo, which (by git’s design) cannot be altered without breaking everything.

(Disclosure: I am a GitHub employee)

Cryptocurrency startup involved in shady marketing practices? I am very surprised.
If your email address is publicly available, then yes, gross people will scrape it and spam you. That goes for everything.

Use the private email options or at least have a unique email for commits that you can easily identify that it came from someone scraping and just filter for it.

As others have said, it may be that your email is still public. Outside that, you should make sure you commit with the GitHub generated anonymous email, which is in the format of <username>@users.noreply.github.com. This will attribute commits correctly to your account, without exposing your email address in the commits.
If you go to https://github.com/settings/emails and turn on "Keep my email addresses private", there is an additional setting called "Block command line pushes that expose my email":

"When you push to GitHub, we’ll check the most recent commit. If the author email on that commit is a private email on your GitHub account, we will block the push and warn you about exposing your private email."

I just have a git@mydomain.com alias that actually doesn't exist. That's my email for git. LOL
I don’t think it’s coincidence that stories like this are cropping up shortly after Microsoft started algorithmitizing the GitHub feed. https://www.theregister.com/AMP/2022/03/23/github_for_you/

Seems to me that it’s being transitioned, LinkedIn-style, to a recruitment or marketing-centric tool.