Ask HN: Uptick in spam based on GitHub activity

chockchocschoir · on March 24, 2022

Supposedly, you can activate "Keep my email addresses private" in https://github.com/settings/emails which should replace your actual email with a GitHub provided relay-address. You can also set that relay-address as your git commit email. It's unclear if the GitHub API will also show that email though, where I think they are getting the emails from in the first place.

What we collectively can do is to send an email to support@github.com every time it happens, with the repositories/email addresses involved in this, and short-term GitHub will remove them from the platform (making it less profitable for them to do so as they'll get removed) and hopefully over time GitHub will improve protecting their users privacy.

semiquaver · on March 24, 2022

There’s not much more github can do about this because of how git works: git commits form a merkle tree (aka blockchain): each commit is a hash of its contents (including the author’s email) as well as the entire history to that point. When you commit to a public repo, the email you commit with is publicly visible forever unless a repo owner rewrites history and force pushes.

GitHub has an option to create web commits with private non-routable emails and to block pushes you inadvertently attempt which include commits made with your public email that you choose to keep private.

Filtering existing emails from the API wouldn’t work since scrapers can just as easily clone the repo, which (by git’s design) cannot be altered without breaking everything.

(Disclosure: I am a GitHub employee)

sbarre · on March 24, 2022

I swear I set my email to private on Github years ago, and I just checked and it was not set to private, which definitely explains why I've been getting these emails too.

Thanks for bringing this up, if only to prompt me to double-check my own settings. :-)

tiffanyh · on March 24, 2022

When has it ever been a practice to publicly display a users email address?

Shouldn't this be off by default.

blueflow · on March 24, 2022

The /$user/$repo/commit/$commit.patch endpoint leaks the committers eMail like a git clone+git log would.

Cross check with the github user of the same commits HTML view.

lpcvoid · on March 24, 2022

Cryptocurrency startup involved in shady marketing practices? I am very surprised.

simonhamp · on March 24, 2022

/shocked pikachu face

_dujt · on March 24, 2022

I don’t think it’s coincidence that stories like this are cropping up shortly after Microsoft started algorithmitizing the GitHub feed. https://www.theregister.com/AMP/2022/03/23/github_for_you/

Seems to me that it’s being transitioned, LinkedIn-style, to a recruitment or marketing-centric tool.

tough · on March 24, 2022

I just have a git@mydomain.com alias that actually doesn't exist. That's my email for git. LOL

mkdirp · on March 24, 2022

As others have said, it may be that your email is still public. Outside that, you should make sure you commit with the GitHub generated anonymous email, which is in the format of <username>@users.noreply.github.com. This will attribute commits correctly to your account, without exposing your email address in the commits.

jffry · on March 24, 2022

If you go to https://github.com/settings/emails and turn on "Keep my email addresses private", there is an additional setting called "Block command line pushes that expose my email":

"When you push to GitHub, we’ll check the most recent commit. If the author email on that commit is a private email on your GitHub account, we will block the push and warn you about exposing your private email."

manictoaster · on March 24, 2022

If your email address is publicly available, then yes, gross people will scrape it and spam you. That goes for everything.

Use the private email options or at least have a unique email for commits that you can easily identify that it came from someone scraping and just filter for it.