I got this on two org repo’s yesterday. About an hour after the email, I checked and it was gone. I wanted to report it, even though GitHub scam reports are so very unsatisfying (weeks go by, then random email about how they took some action).
One very simple measure I hope they implement is just not sending emails for unverified spam like this. I’d argue a majority of issues or comments do not need instant emails. Even one hour delay could help in combating abuse like this if they had any sort of reasonable moderation rules.
I reported spam comment and they acted in less than an hour. I reported the exact spam comment by another user in the same day and they took 3 months to act. It is a very random process.