Spam mail to unique address for GitHub

I received a spam email to unique to GitHub address (let’s call it X), always set to private.

just to be absolutely clear I use X only on GitHub, nowhere else.

they ask about license of my code and I don’t have anything in repos to license. All I have is one fork and one bash script.

(redacted by moderator)

I’ve never had anything to do with this domain. I don’t know anyone named Mark.

… and that means there was a leak on your side

2 Likes

Unless you’re absolutely sure the same email was send in bulk to other email addresses, I’m not sure this qualifies as SPAM, rather unsolicited email — but not being an advertisement email, it’s also hard to argue it’s unsolicited, since it’s more the case of someone contacting you for whatever reason.

Please don’t publish third parties email addresses in public like this, if you need to report that email address to GitHub do so via private email to customers support instead.

or maybe your browser leaked it while navigating the Internet. There are many possibilities to why someone might have got hold of your email address, no matter how hard you strive to keep it private.

Also, spammers often simply try writing to every possible user name for known email domains, and check whether they get an error response from the server, if not they might have caught an existing user; it’s a kind of “brute force” approach to accounts discovering, and apparently it pays off for spammers. They usually don’t target completely random usernames, but mix candidate words from dictionaries (e.g. names) with date births, etc., to increase the chances of their email finding a real users.

So, if it’s a spammer it might have just guessed your super secret email via trial and error (using automated tools, obviously).

Last time I received SPAM to my super secret email address it was leak from LinkedIn. Of course this was different email address than the one for GitHub.
I keep separate addresses for separate services.

I’ll fill complaint against that GitHub user.

@CapSel I also received a strange email from this user. It asks me about my github “trading” projects and their licenses, except I dont have any projects of that sort!

The email though written with a personal tone, has an unsubscribe link, but I never signed up for anything!

It reminds me of the tactic that some people use where they fabricate a conversation that never happened to get you to reply.

Anyhow I am concerned that there is some email harvesting and bulk mailing going on here.

edit: replaced the word financial with “trading”, since that was the exact word used in the email body.

1 Like

Unfortunately I’ve noticed that lately the GitHub.com platform as well as this community has become increasingly the target of malicious users trying to do fishy things. Especially the Community forum, because many newbie come here for help, meaning they are potentially a more vulnerable users base.

I still advise to report such activities via private communications to GH staff, rather than exposing users details publicly. After all, I’ve also been receiving similar emails from accounts that belong to people I know, which were hacked and used for phishing campaign without their knowledge. So before publicly denouncing a user or his/her email as a malicious hacker, it would be prudent to ascertain that the user is actually doing so, as opposed to him/her being unaware of his/her account being compromised.

I had the same email go to the address I use on Github. It’s a Gmail address, and Gmail caught it in the spam filter as “similar to messages that were identified as spam in the past”, supporting the idea that this is a bulk mailing that others have received. And it very specifically used my Github username:

Hi there,

I hope you are doing well.

We noticed that you have a great Github repository perey regarding the trading field.
We are making a project to help traders have a better trading environment. We hope to refer to the source codes in your Github repository perey.
Your license is MIT-based, right? Can we refer to your source codes?

Hopefully, we can hear back from you. Many thanks.

Best Regards,
Mark
[domain removed per tajmone]
Github: [username removed per tajmone]

Unsubscribe to no longer receive emails from us.

I didn’t think much of it, but you’ve made me realise that there isn’t any simple way for anyone to have associated that email address with my Github account. It’s not private like yours (there are probably places where I’ve used it in project metadata), but it’s also not out in the open on my profile!

So while I can’t confirm that it must be a leak, I can also rule out the theory of brute-force address guessing.

1 Like

tajmone I filed a report to GitHub Support . We’ll see what happens.

2 Likes

Hello all,

subscribing as another user who just got a message on my gmail address associated with my github account, from same address and with the same contents.

Gmail also marked it as spam. This happened today.

I’ve just received that Email to a unique address too.

Isn’t it super easy by design to collect E-Mail addresses from git logs of big community projects?

Probably not if you’ve explicitly configured your account not reveal your email. Unless you’ve configured Git to associate the email to your commits. From what the OP wrote, it seems like a well guarded email addressed was somehow retrieved, so maybe there is something serious going on here in terms of security breaches.

:wave:

@CapSel

It does look like you have used a non-private email for commits at some point. Obviously I can’t tell if this is the email you are concerned with, but your own repositories do contain public commit metadata.

You can check the email address associated with a commit by appending .patch to the end of the commit url.

Unfortunately, people do scrape publicly available email addresses for marketing purposes. It’s always worth reporting them when this happens, and we do investigate and act on these reports (even though we usually can’t say anything about what actions we take since it’s about someone else’s account.)

You can always configure your local git environment with the private email in your email settings. That will link your commits to your GitHub account without revealing your actual email address.

But mail addresses are visible in git log by default. Some project also require an explicit sign-off which adds the mail address in the commit message too.

Just clone something and have a look at: git log | grep Author

If the spam continues, at least I’m able to rotate my mail addresses on my domain. But most people can’t.

Since I don’t have problems revealing my email in GitHub projects, and I because I add it to to my LICENSE files, etc., I’m not well versed in the the differences between the email associated with the GitHub account and that used for creating commits. My understanding is that the email that will show in your commits is determined by your Git settings, which in theory could be different than the one used by the actual account (e.g. it could be one of the fallback email addresses). But, as I said, I didn’t really experiment with this, so I have no idea whether GitHub will accept a commit signed with a different email account than in the login credentials (and if this is even possible), and if by doing that the commits would then still be accounted as your contributions (e.g. in statistics).

But I’m pretty sure that GitHub would recognize any of my associated GH account emails as a valid email, so it should be possible to use one (private) email to log-into GH, and another (public) email to sign commits. I assume the reason for using two different account would be to keep private the account to which credit cards are associated.