Spam mail to unique address for GitHub

I received a spam email to unique to GitHub address (let’s call it X), always set to private.

just to be absolutely clear I use X only on GitHub, nowhere else.

they ask about license of my code and I don’t have anything in repos to license. All I have is one fork and one bash script.

(redacted by moderator)

I’ve never had anything to do with this domain. I don’t know anyone named Mark.

… and that means there was a leak on your side

2 Likes

Unless you’re absolutely sure the same email was send in bulk to other email addresses, I’m not sure this qualifies as SPAM, rather unsolicited email — but not being an advertisement email, it’s also hard to argue it’s unsolicited, since it’s more the case of someone contacting you for whatever reason.

Please don’t publish third parties email addresses in public like this, if you need to report that email address to GitHub do so via private email to customers support instead.

or maybe your browser leaked it while navigating the Internet. There are many possibilities to why someone might have got hold of your email address, no matter how hard you strive to keep it private.

Also, spammers often simply try writing to every possible user name for known email domains, and check whether they get an error response from the server, if not they might have caught an existing user; it’s a kind of “brute force” approach to accounts discovering, and apparently it pays off for spammers. They usually don’t target completely random usernames, but mix candidate words from dictionaries (e.g. names) with date births, etc., to increase the chances of their email finding a real users.

So, if it’s a spammer it might have just guessed your super secret email via trial and error (using automated tools, obviously).

Last time I received SPAM to my super secret email address it was leak from LinkedIn. Of course this was different email address than the one for GitHub.
I keep separate addresses for separate services.

I’ll fill complaint against that GitHub user.

@CapSel I also received a strange email from this user. It asks me about my github “trading” projects and their licenses, except I dont have any projects of that sort!

The email though written with a personal tone, has an unsubscribe link, but I never signed up for anything!

It reminds me of the tactic that some people use where they fabricate a conversation that never happened to get you to reply.

Anyhow I am concerned that there is some email harvesting and bulk mailing going on here.

edit: replaced the word financial with “trading”, since that was the exact word used in the email body.

1 Like

Unfortunately I’ve noticed that lately the GitHub.com platform as well as this community has become increasingly the target of malicious users trying to do fishy things. Especially the Community forum, because many newbie come here for help, meaning they are potentially a more vulnerable users base.

I still advise to report such activities via private communications to GH staff, rather than exposing users details publicly. After all, I’ve also been receiving similar emails from accounts that belong to people I know, which were hacked and used for phishing campaign without their knowledge. So before publicly denouncing a user or his/her email as a malicious hacker, it would be prudent to ascertain that the user is actually doing so, as opposed to him/her being unaware of his/her account being compromised.

I had the same email go to the address I use on Github. It’s a Gmail address, and Gmail caught it in the spam filter as “similar to messages that were identified as spam in the past”, supporting the idea that this is a bulk mailing that others have received. And it very specifically used my Github username:

Hi there,

I hope you are doing well.

We noticed that you have a great Github repository perey regarding the trading field.
We are making a project to help traders have a better trading environment. We hope to refer to the source codes in your Github repository perey.
Your license is MIT-based, right? Can we refer to your source codes?

Hopefully, we can hear back from you. Many thanks.

Best Regards,
Mark
[domain removed per tajmone]
Github: [username removed per tajmone]

Unsubscribe to no longer receive emails from us.

I didn’t think much of it, but you’ve made me realise that there isn’t any simple way for anyone to have associated that email address with my Github account. It’s not private like yours (there are probably places where I’ve used it in project metadata), but it’s also not out in the open on my profile!

So while I can’t confirm that it must be a leak, I can also rule out the theory of brute-force address guessing.

1 Like

tajmone I filed a report to GitHub Support . We’ll see what happens.

2 Likes

Hello all,

subscribing as another user who just got a message on my gmail address associated with my github account, from same address and with the same contents.

Gmail also marked it as spam. This happened today.

I’ve just received that Email to a unique address too.

Isn’t it super easy by design to collect E-Mail addresses from git logs of big community projects?

Probably not if you’ve explicitly configured your account not reveal your email. Unless you’ve configured Git to associate the email to your commits. From what the OP wrote, it seems like a well guarded email addressed was somehow retrieved, so maybe there is something serious going on here in terms of security breaches.

:wave:

@CapSel

It does look like you have used a non-private email for commits at some point. Obviously I can’t tell if this is the email you are concerned with, but your own repositories do contain public commit metadata.

You can check the email address associated with a commit by appending .patch to the end of the commit url.

Unfortunately, people do scrape publicly available email addresses for marketing purposes. It’s always worth reporting them when this happens, and we do investigate and act on these reports (even though we usually can’t say anything about what actions we take since it’s about someone else’s account.)

You can always configure your local git environment with the private email in your email settings. That will link your commits to your GitHub account without revealing your actual email address.

But mail addresses are visible in git log by default. Some project also require an explicit sign-off which adds the mail address in the commit message too.

Just clone something and have a look at: git log | grep Author

If the spam continues, at least I’m able to rotate my mail addresses on my domain. But most people can’t.

Since I don’t have problems revealing my email in GitHub projects, and I because I add it to to my LICENSE files, etc., I’m not well versed in the the differences between the email associated with the GitHub account and that used for creating commits. My understanding is that the email that will show in your commits is determined by your Git settings, which in theory could be different than the one used by the actual account (e.g. it could be one of the fallback email addresses). But, as I said, I didn’t really experiment with this, so I have no idea whether GitHub will accept a commit signed with a different email account than in the login credentials (and if this is even possible), and if by doing that the commits would then still be accounted as your contributions (e.g. in statistics).

But I’m pretty sure that GitHub would recognize any of my associated GH account emails as a valid email, so it should be possible to use one (private) email to log-into GH, and another (public) email to sign commits. I assume the reason for using two different account would be to keep private the account to which credit cards are associated.

Suspicious eMail Contacts

Recently I’ve also been receiving some rather suspicious emails from a GitHub user who claims to have been impressed by my C++ and JavaScript work (I do neither, since I don’t like these languages) and a vague invitation to join their (?) work, followed by a YouTube link showing screenshots of some sort of database backend “in action”.

The user email comes from a suspicious domain (that I’d rather not visit), the project mentioned in the email doesn’t seem to provide any meaningful information, and much less info can be deduced from the YouTube video, which belongs to a vaguely qualified user with no other contents except this video.

I’m not sure what the scheme behind all this is, but my guess is that whoever send this email is hoping in a reply to his email, for I received a second email further soliciting me to view the video and consider the proposal.

The whole thing seems a fairly elaborate setup (the seemingly legit video) with vague references to prompt curiosity, and of course to tease anyone who might be interested in applying for work.

But there’s also an evident lack of detail that makes me believe this is a bulk-operation, e.g. the email mentions my GitHub account (even linking it) but doesn’t really bother mentioning my full name (which is visible in the account), so it’s fair to assume that this is the result of a data-mining based scheme.

My email is publicly visible on my account, so it’s no big deal getting hold of it, but the least I’d expect from anyone legitimately contacting me would be to address me by my full name, rather than my user slug.

I intentionally avoided mentioning the user name, his email address, and providing the YouTube link and his email domain, as well as not citing the email text literally.

And I wouldn’t have even brought up the issues if it wasn’t for the second email that followed up, prompting me again to establish a contact — unlike common SPAM campaigns, which often target email addresses which they are not even sure they are active, this seem to be a campaign targetting confirmed GH users, whatever their goal is.

I wanted to know if other users are receiving similar emails, and whether GH staff is already aware of this scheme, and what’s the advised action to do (e.g. where and how to report this).

It’s sad to see that in the past year we’ve seen an increasing number of schemes targetting GH users. This is something new that we were not exposed to in the past — for the past years GH has mostly been a community frequented only by genuine developers, where you could freely leave any project Wiki editable by anyone, without having to worry about spammers polluting their contents. Now things are changing, and we’re starting to see dodgy characters being attracted to GH, which inevitably will lead us to swap common-trust based rules for authorizations levels, which is sad.

Hey @tajmone

Please do open a ticket and give whatever detail you can.

We can’t do much about people scraping information that’s publicly available - and if we pretend we can, we’re encouraging people to be less guarded than they should be about what information they make publicly accessible on the Internet. We do our best to make sure that people can use GitHub with the absolute bare minimum of personal information given to provide a secure and stable service.

That said, this kind of behaviour does go against our Terms of Service. If the activity is linkable to a GitHub user, we can always take action there.

I know it’s unsatisfying, but we won’t be able to tell you about the results of an investigation on a third party (even if they were spamming you!), but we do investigate all reports, and obviously, we prefer to discourage people from harassing GitHub users as much as we can!

1 Like

Thanks @canuckjacq, I will open a ticket.

I’m not really worried about spamming (I can live with it), also this probably doesn’t fall so much in the SPAM category as it’s probably some sort of phishing scheme. And I fully understand the reasons why I won’t be getting feedback; for me all that matters is that this kind of practice won’t prevail and pollute the collaborative spirit of our community by introducing unnecessary suspicion.

I’m receiving a regular stream of phishing attacks to a mailbox I only use for github. This has reached such a level as of 10/10/2021 that I decided some action needed to be taken. Forwarding messages to abuse@github.com seems to only send an automated reply directing me to “Community” resources.

As, in legal terms, I am an elder. I’m considering if the parent company may be subject to claims of negligent elder abuse, under WA state law. I used to work for Microsoft and phishing prevention used to be a big focus.

1 Like

Thanks for the abuse address, I wasn’t aware of it. I tried opening a ticket, as suggested by @canuckjacq , but the GH support system has become more complex than it used to be, and all I could manage so far was to leave a short message linking to this post and asking for a direct email contact.

I didn’t realize that the new support system had changed so much; it seems very hard to be able to contact someone from the support team, since the support pages tend to redirect you toward pre-arranged answers for common problems — the only way I was able to leave a message was by clicking “No” on the “Was it helpful?” feedback question.

I’m now starting to realize why so many people are turning to the GH Community forum for support questions, because it’s so hard to contact support. While I do understand that GitHub’s userbase has grown exponentially in the last decade, and there might be practical issues in handling the incoming flow of support requests, it seems that the new system (which discourages direct contact) ultimately results in more people resorting to this forum to obtain support for problems which are out of topic here — something that ends up “polluting” the forum (so to speak) and wasting GH staff time too (I can no longer count how many times I’ve seen replies by GH staff members pointing out that the forum is not the place to ask for unflagging blocked accounts, and other similar administrative requests).

I can’t avoid getting the impression that the new stricter policy for direct users support on the support pages has lead to an unbalance which has only diverted the problem to the GH Community forum (and obviously, there’s no way to prevent users for asking these kind of questions on a public forum).

I find it hard to understand why reporting phishing campaigns targeting GH userbase should be so hard to report. It would come natural to think that similar reports should be seen as a courtesy from the users, since the prevention of similar attacks is in the interest of everyone, but if contacting support becomes so hard, or requires too many steps, many (if not most) users will simply start to let them go by unreported.

Thanks for your response. Are you answering as a GitHub/Microsoft employee?

@canuckjacq, I’m guessing you are a github/Microsoft employee. I do need a private channel for communications about this topic. I’m a retired MSFT with experience in phishing prevention under Exchange. I’m really surprised this happened… If there is PII in the commit logs, this seems like systemic risk.