Tell HN: YC companies scrape GitHub activity, send spam emails to users

688 points by miki123211 ↗ HN
Hi HN,

I recently noticed that an YC company (Run ANywhere, W26) sent me the following email:

From: Aditya <aditya@buildrunanywhere.org>

Subject: Mikołaj, think you'd like this

[snip]

Hi Mikołaj,

I found your GitHub and thought you might like what we're building.

[snip]

I have also received a deluge of similar emails from another AI company, Voice.AI (doesn't seem to be YC affiliated). These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose. This includes recipients under the GDPR (AKA me).

I've sent complaints to both organizations, no response so far.

I have just contacted both Github and YC Ethics on this issue, I'll update here if I get a response.

90 comments

[ 3.3 ms ] story [ 90.7 ms ] thread
[flagged]
I was also spammed (twice) by voice.ai.

You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.

Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.

> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.

There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.

I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.

I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.

Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).

I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.

These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.

This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
Email address privacy is a feature offered by Github and replaces your day to day email: https://docs.github.com/en/account-and-profile/how-tos/email...
Unfortunately if you don't start out using that, then your email address is already spread across the web. And back when I was looking at gitlab/bitbucket/etc for feature comparison, each forge used their own domain and couldn't be persuaded to combine commits from multiple addresses into your own profile (to be clear, that's not really necessary, but it does make it more difficult to find a commit created by someone when their commit address isn't the address associated with their account)
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:

> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.

What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.

I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.

I've received the exact same email from the same company.
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
Looking for ethics in an industry where a pluraility of founders are tied to Peter Thiel is a headscratchingly dense idea.
If it were taking up time and not producing results then they would care.
Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.

The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.

From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...

I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.

I have reported several spam emails to Github and from what I can tell none has been acted upon.
FYI I get about 5 of these a week. It is pervasive. If someone wants to scrape my email that's one thing, but the number of recruiters who are like "I saw your repo <some ancient repo of mine> and I think you'd be a great fit for our new position in AI agents..." so they are both scraping my e-mail and all the metadata to personalize their pitch to me (poorly).
I've received several of these types of messages including Voice.ai one mentioned in comments, and the following today:

Tonho<tonho@tonho.wtf>

Hey, I found your GitHub profile and thought you might find this useful.

I've been building Omniget, a desktop downloader that works with YouTube, Telegram, Udemy, Hotmart and 1000+ other sites. It's open source and built with Rust and Tauri.

The part I'm most proud of: you don't even need to open the app. Just press a hotkey and it grabs whatever video you're watching.

I've been working on this for a while now, even got an artist to design a mascot. I'm shaping the app based on feedback from people who actually use it, so if you have any thoughts I'd love to hear them.

Here's the repo: https://github.com/tonhowtf/omniget

Thanks for your time!

Tonho

General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
We all use different domains for sending cold outreach. This isn't an amateur hour, come on.
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
YC is a proud investor in Flock, what YC Ethics thing are you talking about?
And that Optifye.ai demo with the sweatshop surveillance software
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.

Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.

Wait why? That seems like the high effort and high specificity thing that I'd love to get.

You searched for people who do what you need to have done, found me, looked at what I've worked on and determined I'd be a good fit and you reached out? That's the number one way to get me to want to work for you.

My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.

I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.

I did receive these kinds of emails as well.

And I use a different email fromy priority email for GitHub commits since 4 years ago.

So just stop with marketing slop please.

Yes, I work with AI, and I'm becoming pretty good at it.

But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.

I (and they) want to use AI to facilitate their processes, not to ingest slop content.

I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
Over many years, I have got email from university for survey / research.

This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml

Maybe a dumb question, but isn't this trivially solved with this .gitconfig?

    [user]
         name = lordgrenville
         email = <some_kind_of_id>+lordgrenville@users.noreply.github.com
I also received this shitty email 3 days ago