Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
> when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts.
This isn't my experience. I requested that you looked into a spammer in July 2025, you ignored my reply and the account is still active.
----
Thank you so much for the report. We're sorry to hear you're receiving unwanted emails, but it's always a possibility when your public contact information is listed on the web. You can keep your email address private if you wish by following the steps here:
Setting your commit email address
We do expect our users to comply with our Terms of Service, which prohibits transmitting using information from the GitHub (whether scraped, collected through our API, or obtained otherwise) for spamming purposes. I'm happy to look into it further to see if we can contact the reported user and let them know that this type of activity is not allowed.
Please let us know if you have any other questions or concerns.
----
My reply which was ignored:
----
I understand it will happen from time to time. I'd rather be contactable (I've received legitimate emails today because my email is on my profile).
Please take further action. My email is public with the expectation that the ToS will be enforced. If GitHub isn't discouraging spammers then it makes it much harder to justify being contactable.
It's impossible for them to stop if you list your email on there. They could make it harder of course. But if you put your email out there for a human to find, then a script or bot or also find it.
And yes of course they can also stop a specific spammer. But that spammer may pick up another account and email.
The grandparent post wasn't asking for them to do the impossible and stop all spamming, only to take action against the particular user that spammed them.
I’ve made over five reports for this exact spam scenario, and never once have y’all acted on them. I have a hard time believing you ban spam accounts that clearly violate your ToS.
I'm confused. How do you know what account scraped your email address from github in order to send you an email?
Or do you mean going after the accounts of companies that make use of a likely scraped email address? That's not a bad idea either, but it has risks and isn't the same thing.
Half the time they literally say it in the email. I just looked in my spam folder and just a few hours ago got an email titled "Your profile: Github", that started with:
> I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
>
> Profile: https://github.com/tedivm
That they use some of their trillion dollar marketshare to solve it, why are you acting like this is a hard problem? It's not. They're just too cheap and greedy to do anything about it.
I don't have any specific suggestions, but I do want to give thanks for implementing functionality to block pushes if the email field is *not* using an anonymized mail address.
It's one thing to offer anonymous e-mail addresses, but it's also awesome that GitHub can help prevent mistakes that would otherwise leak a user's e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don't, so it's nice seeing this little feature exist.
It gets more complicated when commit signing, the widely broken web of trust (for the signing key) and similar are involved.
And not all devs want or need anonymity on github.
In general just because information is publicly accessible in some form doesn't make it okay or legal to abuse it (accessible doesn't mean any form of usage rights are transferred to you weather it's in context of GDPR or in context of copy right).
I am also getting constant spam because apparently they can see who starred a repo (i.e. I see you starred repo x and we are doing something similar). I am not starring anything anymore.
I think it's pretty clear you need to use an anonymization scheme in the way commits are handled so that it links back to your github account and the email addresses are kept private.
Privacy centric companies like Apple do this for users offering hashed emails, on a per login basis.
I'm sure this would not work in a world of scraping, but having that kind of ability to figure out bad actors would be nice. You could require authenticated users for certain kinds of requests, and block user information from non-authenticated requests.
I know it is against the ToS. I've reported multiple organisations doing this. Last time I reported one, support closed the ticket saying the activity is off platform so they can't do anything.
What section of the ToS prohibits this? In other words, what is the thing that is being done that is against the ToS? Looking up the creator of a repo, or the contributors of the repo?
I did a quick scan of the ToS and all I could find was D8 that states that autmated access (scraping) used for "AI" applies a reciprocal license that prevents the scraper from restricting GitHub's access to the data (the whole model? the weights?) resulting from the scraping.
This makes it sound like any model trained on GitHhub content cannot be commercialized, because charging for access to the output would be a "technical or other limit"... So you're obviously not really enforcing this, otherwise MS would be suing every big commercial model out there!
It seems like a safe assumption that the big commercial models will have negotiated their own private GitHub terms of service, especially considering their many-digit annual contracts with Azure.
Maybe I am missing something, but can’t you simply not show the email address in a git commit? (Sincere question, not saying this is trivial. i am dumb and like to ask dumb questions even if might be embarassing)
If someone wants to message someone, it goes through github notifications or github emails them
Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc
That would be a fundamental change to how Git works, not just GitHub. Even if the web UI didn't show it, a simple `git log` would reveal it.
You can mask your email address in git commits but a lot of open source projects won't accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they'll give you access to the GitHub repo (looking at you Unreal Engine!)
So, no, I don't think they could simply "not show the email address".
Git commits have a email address as a required field[0], although some people put something bogus in there. And then it's in the data provided when you clone the repo onto your machine even if you aren't using the GitHub APIs.
To his point, you can set that to the no-reply email address GitHub gives you if you don't want mail but do want the commit to be linked to your GitHub account.
Git commits are identified by a hash of their entire contents[1]. The way hashes work, if you change even one bit, the hash becomes completely different. Every commit contains the email address of the committer and the hash of the parent commit. If the email address in even one commit is changed or removed, that changes its hash, which in turn requires you to update its children, changing their hashes etc. So, updating a commit from n years ago requires you to update all commits that have been made since. By default, git will refuse to pull from such an updated repository, as commits are considered immutable once pushed.
[1] In practice, it's a bit more complicated. Merkle trees are involved, so it's hashes of hashes of hashes instead of hashing a multi-gigabyte blob on each commit, but that's a performance optimization that doesn't affect semantics much.
Amazon did this to me. Their recruiters started hounding me at an email address that I only ever used to sign git commits on some repos used on GitHub. When I asked them how they got my email address they said "it was in [our] database"
I kinda wish I had that much power. There would certainly be less people in the world listening to their phones without headphones..
Usually starts with contacting them over email reminding them of the terms of service and warning them to stop. Then their account might get deactivated and they need to write and promise to not be naughty again. If they ignore that then the account gets removed.
There are a bunch of automated checks that are running all the time as well and will take automated action that then gets later reviewed by humans. At lot of times the process is fast-tracked.
The off-platform 'let's scrape a bunch of data and then spam nice people' is the hardest to police. Linking those mails to an offending GitHub account is hard and very manual, also anyone can send emails saying they are someone they are not and because of that anyone can deny they sent the mail and they'll usually blame a rogue agency they where working with etc.
I probably shouldn't say it, but the public shame that comes from being mentioned on social, in hacker news etc. That stops people who want to be treated as legitimate from doing that sort of thing and helps educate the wider community around what is and isn't acceptable behaviour - that is why it's good to see this thread and see the issue getting attention.
Love the transparency - someone should make you VP of ..uhm dev rel or something! I was being quite hyperbolic in my original comment, however, I _do_ think you are doing the right thing, and you are definitely not the bad guy.
Having said that, there are big corps who have been known to use the CFAA as a way to coerce the long arm of the law upon teenagers and geeks hacking away - not always a great thing either IMO.
This would be a gross miscarriage of justice and bringing successful action under this theory would do widespread harm by expanding the definition of the CFAA.
Just because a company can take some nuclear action, doesn't mean they should.
Mind fixing lucidrains account? Something happened without notice or recourse. He's one of, if not the most well known open source AI researchers on the planet, with implementations and explanations of papers and ideas that are wonderful. If you could bring some sanity to that situation and take it out of whatever kafkaesque account purgatory it fell into, you'd be doing the work of angels.
What was happening with this account? I was often seeing popular but empty (only title of the paper and maybe a short readme) repositories that were created directly after a paper was published?
Just part of the process - he'd queue up the projects as interesting things came in, then plow through. Usually he'd have a rough framework within a day or two, and then a working proof of concept within a week, and then return to the most promising, useful, or interesting projects.
I really appreciated his coding-style, but the bar is quite low on research/ML-algorithms to be fair. I still wonder how he managed to get „trending“ repositories regularly despite the repositories being empty.
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
If someone took the time to look through my GitHub contributions then pitched me with a job relevant to that work I would absolutely consider them. That's exactly the kind of recruiter I would like to work with.
If it's obviously just a bot scraping emails and sending generic job requests, that's very different.
Wait why? That seems like the high effort and high specificity thing that I'd love to get.
You searched for people who do what you need to have done, found me, looked at what I've worked on and determined I'd be a good fit and you reached out? That's the number one way to get me to want to work for you.
> You searched for people who do what you need to have done, found me, looked at what I've worked on and determined I'd be a good fit and you reached out? That's the number one way to get me to want to work for you.
No, their email templating tool finds an old throwaway repo you did 6 years ago, templates its name into a form email, and invites you to join a cattle call to be whiteboarded along with the rest of the shmucks
Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.
I also had unsolicited spam from Vincent Jiang of Aden, another YC company.
Hi Daniel,
I just came across your profile on social media and wondered if you'd be interested in joining our Discord community for AI agent development. Currently, we see that agents break, loop, get lost, hallucinate, and cost a fortune, and therefore built a space where developers can share challenges and insights.
Hi Daniel, I found your GitHub profile while searching for anthropic projects, and got your email from your profile.
I'm part of an online program for builders called Backdrop Build, and I think that program would be a great fit given what you are building. We have a track for builders in AI like you, it's fully online/remote and costs nothing to participate. It also works if you have a day job, it's light on time and perfect for side projects!
And then another after I marked the first one as spam and ignored it.
Checking in one last time to see if you have any questions about the program or the application. If it's not for you, all good - just ignore the email because I won't be pinging you again :)
Joey from Backdrop
Both companies have guaranteed that I won't use their services nor procure them for any organisation I work for.
Hey it's Joey checking in again. We noticed you mentioned our company, let me know if you have any questions about our (free!) program. I'll go ahead and email you some more info, just in case.
I had a similar one from that guy asking me to make open source PRs to some repo of theirs for, err, $25-50/hour. I replied explaining that senior software engineers in the UK aren’t quite as desperately poor as that, and got a canned response saying that they were looking forward to reviewing my PRs :D
Just got a SPAM email from a Github scraper while reading this thread:
From: james@techglobal.website
Quick note – your GitHub profile
Hi X,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Regards,
James
If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.
Checked my spam after seeing this thread and found the same sender/email. Subject and signature are slightly changed.
From: james@techglobal.website Brief note – Following up on your GitHub work
Hi ,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Yes, having a US "front" is how North Koreans pass the identity verifications at US companies looking for remote workers. I have personally spoken with numerous such individuals. Think about it, if you were a legitimite organization attempting to gain US presence would your first action be to SPAM individuals on Github or to register a business and submit a job post on LinkedIn?
I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.
I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.
Scraping emails is also against the GitHub terms of service.
If you don't know what jurisdiction the owner of the email address resides in, it may also be illegal.
So whether it is scraping emails off a website or finding yourself on a private island with beautiful people "made available" to you, "consent" requires more than just having access.
This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions
I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
Their brand has been associated with hacking-around and gaining advantage via rule breaking for a while. Didn't their founder application at one point ask "Tell us about a time where you hacked some system for your advantage?" At this point, I think everyone knows they're signing up for dark patterns and questionable practices when they get involved.
I'm always interested to understand - what constitutes a basic ChatGPT wrapper?
Is Legora, which is doing very well, a basic ChatGPT wrapper? Because if you don't view it as one, it certainly started as one.
YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.
But that is someone pretending to be YC which is sort of less interesting than a YC company doing something bad. Because phishers imitate legit companies all the time. Easy to get roped in and I sympathise, anyone is suseptable (today I almost clicked the phishing training email as it looked urgent and pushed the right buttons)
Unfortunately if you don't start out using that, then your email address is already spread across the web. And back when I was looking at gitlab/bitbucket/etc for feature comparison, each forge used their own domain and couldn't be persuaded to combine commits from multiple addresses into your own profile (to be clear, that's not really necessary, but it does make it more difficult to find a commit created by someone when their commit address isn't the address associated with their account)
This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
I don't like this way of putting it, it's good the github API makes this easy as that makes it an useful. Should not try to imply this should be restricted just because of some bad actors. It's just going to annoy legit users and the bad ones will scrape anyway.
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
Doesn't YC have some code of conduct or legal/ethical guidelines?
Regardless of any claims of having this, I would say this behavior aligns with what I have seen over the last couple decades. I'm more surprised that other people would expect anything different?
Only free individual can have strong ethics. There are no free people in capitalism, money is debt after all. Think of applied pressure once you sign under VC money and amount of brainwashing / gaslighting. I sincerely hope my observation is wrong.
If you are going to go down that road: life is debt, and there is no true freedom. We are bound by the needs of our meat-containers, after all.
I don't like unfettered capitalism, but when I consider economies that have existed over time, it certainly looks like constrained capitalism affords the most freedom.
Like every other VC firm, the only thing they care about is money. They can pretend to morals, but they will never sacrifice one for the other in any meaningful way.
Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.
That's nothing. Former/current YC founders are also abusing BookFace.
I did YC and now work at a frontier lab.
I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.
Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."
I immediately realize it's engagement farming + free labor. I said "No thanks."
Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"
Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)
I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
> Some examples of ethical behavior we expect from founders are:
> - Not spamming members of the community
> To maintain our community, if we determine (in our sole discretion) that a founder has behaved unethically during or after YC, we will revoke their YC founder status. This includes access to all Y Combinator spaces, software, lists and events. All founders in a company may be held responsible for the unethical actions of a single co-founder or a company employee, depending on the circumstances.
Do random GH accounts count as "members of the YC community"?
Sorry, but unsolicited contact, much as I hates, HATESSSS it, is a classic component of any business, and has been, for many decades. I don't think it would be appropriate for a business organization to prohibit its members from engaging in "cold calling," of which, UCE is really an example.
Using the YC branding/name, however, is a different matter.
Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.
FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.
General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?
They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one.
is that a feasible thing to ask for?
If you change the email address, you change the commit hash. And yes, suddenly your local branches are orphaned.
Of course, there's nothing stopping you from using a git-only email address (nospam-6thbit@yourdomain) and routing that to /dev/null. GitHub can't change email addresses, but you can.
They only do that if you set up that specific email on your account. Not if its 'any email other than the noreply one'.
> When you push to GitHub, we’ll check the most recent commit. If the author email on that commit is a private email on your GitHub account, we will block the push and warn you about exposing your private email.
Perhaps my usecase is niche, but I sometimes work with other git servers from the same machine with different emails and I don't want to set up all those on GH. Global settings don't help here, per-repo settings help but this doesn't come along when you clone a new one.
My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
N.B. Using service-specific emails is trivial - you don't need separate email accounts. Just use email aliases, e.g. "john.smith+github@gmail.com" -- which is an alias called "github" for "john.smith@gmail.com"
A simple regex filter will get rid of that. Now, if you use your own domain and have it configured as a catch-all, then you could do github@domain.tld.
I'm not saying I do this but if I were as smart as I think I am I would have given a Gmail example rather than the example you've given to avoid bots just looking up my website and starting to bypass my setup... ;) ;) ;)
Also, spammers generally don't seem to be going to the effort to apply regex filters to the data they've scraped...
IF alias NOT ON allowList MOVE TO specialLittleFolder
By far the worst one is always going to be something generic like contact@, but my email provider is very good at filtering out those appropriately. :)
I self host email, and I have never gotten spam to any email "constructed" from the domain, other than random attempts to things like "accounting@domain.tld" etc.
But the email I used to interact with the Linux kernel mailing list I had to null route after a while, it got so much spam. I used a throwaway for just that purpose of course, so no big deal.
You'd have thought so, but no, in my experience this works very well. People doing this kind of spamming don't seem to be particularly bright, nor do they seem to spend any time/effort to clean up their scraped database.
Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
> I'm putting my email on GitHub precisely to give people a way to contact me.
They’re not only looking at the public email in your profile, they’re also looking at your committer email (git config user.email). You could argue that you’re not putting that out for people to contact you.
(I’ve used that trick a couple times to reach out to people, too, but never mass emailing.)
Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers? For last few years I saw they "try" to look legit, by claiming addresses are managed by some Hungarian/Spanish shell company, hoping no one will be able to afford pursuing infractions over borders.
There's probably a law against it, but I've always thought a legal company could make decent money taking cases like this in bulk for free, on the condition that they get to keep all the compensation, while the "client" still gets the satisfaction of punishing the offending party.
This is hard, because private right of action in Europe is often very limited, and the damages are low.
THe US basically has a "private police force" for certain laws, notably the ADA. Many people are against this, I personally think it's a great idea and something countries should be doing a lot more of of.
You can’t change anything about a commit without breaking the chain of SHA hashes in the commits, which causes pulls to break.
GitHub hides the emails on their web UI, but nothing stops people from pulling the repository with a Git client and looking at the emails in the commit log after doing so.
Which is why you should be careful to never use your actual email in git commits.
When I made a patch to the Linux kernel I did have to use a real email, since you have to send to their mailing list. I used a throwaway email for it, which I have since edited on my mail server config to forward to /dev/null (yes, I'm one of the weirdos still self hosting email in 2026). The amount of spam I got was insane, and not even developer relevant spam.
You have to configure your own Git client manually. But you can configure GitHub to block pushes from any email other than the no reply email GH generates for you.
Perhaps, but it doesn't change the fact that this is bad behavior for the company sending the email. Since YCombinator funded this company it makes sense that YC would want to know about how they are conducting business.
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
I observed the same thing and it was only when you told me the main domain that I found their website.
> Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain
(I also couldn't see any post created by them on YC checking algolia from their website fwiw)
Seeing their star history on their product, I see some few interesting observations[0] Their star history was almost horizontal between december and february until it got vertical all of a sudden.
I looked through their linkedin and found this website owned by them as well https://www.openclawpi.com/ and using the YC brand here as well. (registerered 26 days ago)
This website looks fairly AI generated to me as well and there are some bugs within the original website as well which I am now incredibly more unsure of if generated by AI or not given the similarities between the two websites UI/UX as well.
Change your email to something like: myemail+gh@mail.com (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.
Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.
They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.
Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.
I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
the problem is that the emails arent typically sent from the main domain.
in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.
so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.
I get these types of emails daily -- never bothered to check whether they are YC or not as I don't read them; I can tell from the first sentence that it's not a company I know and am doing biz with and it goes directly into z-file. Most seem to have gotten my email address from LinkedIn, others from GH.
Side note but the trick I learned, at least with gMail is not to delete the email (which doesn't prevent you from getting new ones), or even reporting as spam (which may or may not work), but instead dragging it into the Promotions tab, into which all future emails from that email address will automatically go. Promotions tab then acts as your Trash.
The quickest way to get me to never do business with you is to send me spam.
I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.
Partial agree. YC created HN, though the HN community is very much _unlike_ anything I've seen at YC.
HN is deeply skeptical, technical, cynical, sarcastic. It's a great place to learn new things and I've loved it since I found it in 2012.
The current startup climate (not just limited to YC) feels very AI bro YEAHHLETSFUCKINGGOO (and I say this as a founder myself having gone through YC recently in W25).
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
After 25 years on the internet dealing with spam, it would never even occur to me to invest the energy to write a letter to the offending companies investor. But more power to them I'd say!
> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.
May not necessarily be from commit messages, there's at least one way simpler way: simply adding .gpg to the end of any user URL will return that user's public GPG key.
Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
> when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts.
This isn't my experience. I requested that you looked into a spammer in July 2025, you ignored my reply and the account is still active.
----
Thank you so much for the report. We're sorry to hear you're receiving unwanted emails, but it's always a possibility when your public contact information is listed on the web. You can keep your email address private if you wish by following the steps here:
Setting your commit email address
We do expect our users to comply with our Terms of Service, which prohibits transmitting using information from the GitHub (whether scraped, collected through our API, or obtained otherwise) for spamming purposes. I'm happy to look into it further to see if we can contact the reported user and let them know that this type of activity is not allowed.
Please let us know if you have any other questions or concerns.
----
My reply which was ignored:
----
I understand it will happen from time to time. I'd rather be contactable (I've received legitimate emails today because my email is on my profile).
Please take further action. My email is public with the expectation that the ToS will be enforced. If GitHub isn't discouraging spammers then it makes it much harder to justify being contactable.
All the best, David
It's impossible for them to stop if you list your email on there. They could make it harder of course. But if you put your email out there for a human to find, then a script or bot or also find it.
And yes of course they can also stop a specific spammer. But that spammer may pick up another account and email.
The grandparent post wasn't asking for them to do the impossible and stop all spamming, only to take action against the particular user that spammed them.
I’ve made over five reports for this exact spam scenario, and never once have y’all acted on them. I have a hard time believing you ban spam accounts that clearly violate your ToS.
I even wrote about a specific example of a YC company spamming me from my GitHub email at https://benword.com/dont-tolerate-unsolicited-spam
How would you know whether the account that did the scraping was banned?
By visiting the account and noticing that it still has activity long after the report.
I'm confused. How do you know what account scraped your email address from github in order to send you an email?
Or do you mean going after the accounts of companies that make use of a likely scraped email address? That's not a bad idea either, but it has risks and isn't the same thing.
Half the time they literally say it in the email. I just looked in my spam folder and just a few hours ago got an email titled "Your profile: Github", that started with:
> I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out. > > Profile: https://github.com/tedivm
They aren't doing anything to hide it.
How do you propose GH take action without risking taking down legitimate projects due to brigades of false reports?
GH literally say in a parent comment:
> we can (and do) take action against those accounts including banning the accounts
That they use some of their trillion dollar marketshare to solve it, why are you acting like this is a hard problem? It's not. They're just too cheap and greedy to do anything about it.
Trillion dollar marketshare? How big do you think GitHub is?
GitHub is wholly owned by Microsoft, which has a 3 trillion market cap
How small do you think Microsoft is??!
I don't have any specific suggestions, but I do want to give thanks for implementing functionality to block pushes if the email field is *not* using an anonymized mail address.
It's one thing to offer anonymous e-mail addresses, but it's also awesome that GitHub can help prevent mistakes that would otherwise leak a user's e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don't, so it's nice seeing this little feature exist.
It gets more complicated when commit signing, the widely broken web of trust (for the signing key) and similar are involved.
And not all devs want or need anonymity on github.
In general just because information is publicly accessible in some form doesn't make it okay or legal to abuse it (accessible doesn't mean any form of usage rights are transferred to you weather it's in context of GDPR or in context of copy right).
I am also getting constant spam because apparently they can see who starred a repo (i.e. I see you starred repo x and we are doing something similar). I am not starring anything anymore.
Scrape once, spam forever.
I think it's pretty clear you need to use an anonymization scheme in the way commits are handled so that it links back to your github account and the email addresses are kept private.
Privacy centric companies like Apple do this for users offering hashed emails, on a per login basis.
I'm sure this would not work in a world of scraping, but having that kind of ability to figure out bad actors would be nice. You could require authenticated users for certain kinds of requests, and block user information from non-authenticated requests.
They already do[0]
this includes a unique ID which survives account renames, and the name of the GitHub account at the time.[0] https://docs.github.com/en/account-and-profile/reference/ema...
How does the spammer get through this then?
they don't. it's an optional process, and many users don't change their git config to use the provided email
I know it is against the ToS. I've reported multiple organisations doing this. Last time I reported one, support closed the ticket saying the activity is off platform so they can't do anything.
I didn't realize this was against the Github TOS - I just thought it was par for the course for recruiters nowadays. This is good to know!
How do I report that person, though? Your support page about reporting abuse assumes I know the person's Github account: https://docs.github.com/en/communities/maintaining-your-safe...
What section of the ToS prohibits this? In other words, what is the thing that is being done that is against the ToS? Looking up the creator of a repo, or the contributors of the repo?
I did a quick scan of the ToS and all I could find was D8 that states that autmated access (scraping) used for "AI" applies a reciprocal license that prevents the scraper from restricting GitHub's access to the data (the whole model? the weights?) resulting from the scraping.
This makes it sound like any model trained on GitHhub content cannot be commercialized, because charging for access to the output would be a "technical or other limit"... So you're obviously not really enforcing this, otherwise MS would be suing every big commercial model out there!
It seems like a safe assumption that the big commercial models will have negotiated their own private GitHub terms of service, especially considering their many-digit annual contracts with Azure.
I have reported several spam emails to Github and from what I can tell none has been acted upon.
Maybe I am missing something, but can’t you simply not show the email address in a git commit? (Sincere question, not saying this is trivial. i am dumb and like to ask dumb questions even if might be embarassing)
If someone wants to message someone, it goes through github notifications or github emails them
Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc
That would be a fundamental change to how Git works, not just GitHub. Even if the web UI didn't show it, a simple `git log` would reveal it.
You can mask your email address in git commits but a lot of open source projects won't accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they'll give you access to the GitHub repo (looking at you Unreal Engine!)
So, no, I don't think they could simply "not show the email address".
fyi, you can also see the author email by appending ".patch" to the end of a commit URL
Makes sens! Appreciate the explanation!
Git commits have a email address as a required field[0], although some people put something bogus in there. And then it's in the data provided when you clone the repo onto your machine even if you aren't using the GitHub APIs.
To his point, you can set that to the no-reply email address GitHub gives you if you don't want mail but do want the commit to be linked to your GitHub account.
[0]: https://git-scm.com/docs/git-commit#_commit_information
Git commits are identified by a hash of their entire contents[1]. The way hashes work, if you change even one bit, the hash becomes completely different. Every commit contains the email address of the committer and the hash of the parent commit. If the email address in even one commit is changed or removed, that changes its hash, which in turn requires you to update its children, changing their hashes etc. So, updating a commit from n years ago requires you to update all commits that have been made since. By default, git will refuse to pull from such an updated repository, as commits are considered immutable once pushed.
[1] In practice, it's a bit more complicated. Merkle trees are involved, so it's hashes of hashes of hashes instead of hashing a multi-gigabyte blob on each commit, but that's a performance optimization that doesn't affect semantics much.
You should be using the email address "username@no.reply.github.com" or similar
There's never been an obligation to use a real email address for git
Amazon did this to me. Their recruiters started hounding me at an email address that I only ever used to sign git commits on some repos used on GitHub. When I asked them how they got my email address they said "it was in [our] database"
Are no-reply emails associated with the accounts if the username is changed? That's one reason why I switched back to my personal email.
I've had more than a few instances of this over the past 2 years, and my reply is exactly the above.
"What you are doing is against Github's TOS"
I've raised this as ticket ID 4114793, just in case.
Nice, thank you Martin. How do you punish the fraudsters? Do you send them to prison over CFAA violation terms of service?
I kinda wish I had that much power. There would certainly be less people in the world listening to their phones without headphones..
Usually starts with contacting them over email reminding them of the terms of service and warning them to stop. Then their account might get deactivated and they need to write and promise to not be naughty again. If they ignore that then the account gets removed.
There are a bunch of automated checks that are running all the time as well and will take automated action that then gets later reviewed by humans. At lot of times the process is fast-tracked.
The off-platform 'let's scrape a bunch of data and then spam nice people' is the hardest to police. Linking those mails to an offending GitHub account is hard and very manual, also anyone can send emails saying they are someone they are not and because of that anyone can deny they sent the mail and they'll usually blame a rogue agency they where working with etc.
I probably shouldn't say it, but the public shame that comes from being mentioned on social, in hacker news etc. That stops people who want to be treated as legitimate from doing that sort of thing and helps educate the wider community around what is and isn't acceptable behaviour - that is why it's good to see this thread and see the issue getting attention.
Love the transparency - someone should make you VP of ..uhm dev rel or something! I was being quite hyperbolic in my original comment, however, I _do_ think you are doing the right thing, and you are definitely not the bad guy.
Having said that, there are big corps who have been known to use the CFAA as a way to coerce the long arm of the law upon teenagers and geeks hacking away - not always a great thing either IMO.
> CFAA violation terms of service
This would be a gross miscarriage of justice and bringing successful action under this theory would do widespread harm by expanding the definition of the CFAA.
Just because a company can take some nuclear action, doesn't mean they should.
Will send a strong email: Don’t do bad things.
> it's not technically difficult even if it is unethical.
kettle, pot, black?
I received the following offical spam last week from GitHub:
> Build AI agents with the new GitHub Copilot SDK
despite never granting consent for marketing material
(and yes, there's a GDPR complaint now working its way through the national regulator)
Ban them. Honestly I get the same and it is beyond frustrating.
I will pay more for GitHub if you go hard on these mfs.
Hey, Martin - https://github.com/lucidrains
Mind fixing lucidrains account? Something happened without notice or recourse. He's one of, if not the most well known open source AI researchers on the planet, with implementations and explanations of papers and ideas that are wonderful. If you could bring some sanity to that situation and take it out of whatever kafkaesque account purgatory it fell into, you'd be doing the work of angels.
Thanks!
What was happening with this account? I was often seeing popular but empty (only title of the paper and maybe a short readme) repositories that were created directly after a paper was published?
Just part of the process - he'd queue up the projects as interesting things came in, then plow through. Usually he'd have a rough framework within a day or two, and then a working proof of concept within a week, and then return to the most promising, useful, or interesting projects.
I really appreciated his coding-style, but the bar is quite low on research/ML-algorithms to be fair. I still wonder how he managed to get „trending“ repositories regularly despite the repositories being empty.
Is this mirrored on gitlab or somewhere else? Nobody should trust Github to store all their data
As a side note unsolicited advertisement of this kind is illegal in Europe.
And them claiming "they didn't know" can be dismissed given that many dev on GH have location information set.
It also in general doesn't change anything. the law doesn't care if you know or didn't.
Startups starting out their journey by committing crime is always a grate sign for their trustability.
YC is a proud investor in Flock, what YC Ethics thing are you talking about?
And that Optifye.ai demo with the sweatshop surveillance software
And Cluely
Cluely is not YC.
he might be thinking of chadIDE "the first brainrot ide"
the same Cluely that's on IG? I thought that was a fictional satire.
And, Gecko Security.
Flock is an awful company, but what's the trouble with Gecko security? Are you talking about https://www.gecko.security/ or something else?
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
If someone took the time to look through my GitHub contributions then pitched me with a job relevant to that work I would absolutely consider them. That's exactly the kind of recruiter I would like to work with.
If it's obviously just a bot scraping emails and sending generic job requests, that's very different.
> If it's obviously just a bot scraping emails and sending generic job requests, that's very different.
It's not even that nice. They scrape emails and send cold calls to try to get you to purchase their services.
Wait why? That seems like the high effort and high specificity thing that I'd love to get.
You searched for people who do what you need to have done, found me, looked at what I've worked on and determined I'd be a good fit and you reached out? That's the number one way to get me to want to work for you.
> You searched for people who do what you need to have done, found me, looked at what I've worked on and determined I'd be a good fit and you reached out? That's the number one way to get me to want to work for you.
No, their email templating tool finds an old throwaway repo you did 6 years ago, templates its name into a form email, and invites you to join a cattle call to be whiteboarded along with the rest of the shmucks
"Work for you"? They ain't hiring my friend, they are spamming their product to your inbox, not sending a career opportunity
Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.
I also had unsolicited spam from Vincent Jiang of Aden, another YC company.
…and more from Backdrop.
And then another after I marked the first one as spam and ignored it. Both companies have guaranteed that I won't use their services nor procure them for any organisation I work for.Hey it's Joey checking in again. We noticed you mentioned our company, let me know if you have any questions about our (free!) program. I'll go ahead and email you some more info, just in case.
I had a similar one from that guy asking me to make open source PRs to some repo of theirs for, err, $25-50/hour. I replied explaining that senior software engineers in the UK aren’t quite as desperately poor as that, and got a canned response saying that they were looking forward to reviewing my PRs :D
Just got a SPAM email from a Github scraper while reading this thread:
From: james@techglobal.website Quick note – your GitHub profile Hi X,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Regards, James
If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.
Checked my spam after seeing this thread and found the same sender/email. Subject and signature are slightly changed.
From: james@techglobal.website Brief note – Following up on your GitHub work
Hi ,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Best, James
I'm curious, what leads you to North Korean from that email? Is it that there's an anonymous team, which has a US "front"?
Yes, having a US "front" is how North Koreans pass the identity verifications at US companies looking for remote workers. I have personally spoken with numerous such individuals. Think about it, if you were a legitimite organization attempting to gain US presence would your first action be to SPAM individuals on Github or to register a business and submit a job post on LinkedIn?
Got this spam today on my GitHub address, YC affiliated:
From: henry@joincactuscompute.com
Hey,
I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.
Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.
We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.
GitHub: https://github.com/cactus-compute/cactus
We are keen to get your feedback, and star if feeling generous.
Thanks a million
> star if feeling generous ... Thanks a million
A 419 scam?
I remember this being discussed a while ago
https://news.ycombinator.com/item?id=9332418 (11 years ago)
https://news.ycombinator.com/item?id=20660624 (7 years ago)
https://news.ycombinator.com/item?id=27855152 (5 years ago)
https://news.ycombinator.com/item?id=30900237 (4 years ago)
Seems it’s a reoccurring issue
I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.
I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.
That isn't how consent works, though.
Scraping emails is also against the GitHub terms of service.
If you don't know what jurisdiction the owner of the email address resides in, it may also be illegal.
So whether it is scraping emails off a website or finding yourself on a private island with beautiful people "made available" to you, "consent" requires more than just having access.
This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions
I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
Same here, having YC attached to your name is not the flex you think it is, its even the opposite for me
Their brand has been associated with hacking-around and gaining advantage via rule breaking for a while. Didn't their founder application at one point ask "Tell us about a time where you hacked some system for your advantage?" At this point, I think everyone knows they're signing up for dark patterns and questionable practices when they get involved.
It still does.
> Please tell us about a time you most successfully hacked some (non-computer) system to your advantage:
I suspect it can be an excellent barometer of someone's:
- alignment in terms of pro-social vs. anti-social
- decision making under desperation
- "social filter": threading the line between 'interesting'/'compelling' vs. 'off-putting'/'concerning'
which are important signals for evaluating potential future C-suite executives.
Their brand has been associated with hacking-around and gaining advantage via rule breaking for a while.
Yup, this type of behavior is pretty much as I would expect and it's something I've seen since I first started posting here.
I don't blame you, the FOMO is real to the point even basic ChatGPT wrappers are getting funded these days, I guess.
I'm always interested to understand - what constitutes a basic ChatGPT wrapper? Is Legora, which is doing very well, a basic ChatGPT wrapper? Because if you don't view it as one, it certainly started as one.
YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.
This is atleast fine as it's just spam, I got pulled into an actual scam and it never made it to the frontpage.
https://news.ycombinator.com/item?id=45357205
But that is someone pretending to be YC which is sort of less interesting than a YC company doing something bad. Because phishers imitate legit companies all the time. Easy to get roped in and I sympathise, anyone is suseptable (today I almost clicked the phishing training email as it looked urgent and pushed the right buttons)
Looks like GH nuked it, though.
Hope they didn’t get too many folks.
That's a little creepier than the time I got an email from someone trying to push a new crypto coin to me because I contributed to OSS.
Email address privacy is a feature offered by Github and replaces your day to day email: https://docs.github.com/en/account-and-profile/how-tos/email...
Unfortunately if you don't start out using that, then your email address is already spread across the web. And back when I was looking at gitlab/bitbucket/etc for feature comparison, each forge used their own domain and couldn't be persuaded to combine commits from multiple addresses into your own profile (to be clear, that's not really necessary, but it does make it more difficult to find a commit created by someone when their commit address isn't the address associated with their account)
This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
I don't like this way of putting it, it's good the github API makes this easy as that makes it an useful. Should not try to imply this should be restricted just because of some bad actors. It's just going to annoy legit users and the bad ones will scrape anyway.
I'm just stating a fact, not implying anything. It's the good old saying with the sharp knife, it can be used for good and bad.
Ok sorry I guess I read too much into it.
Yea, been going on at least a decade
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
It's not "spam", it's a "growth hack".
Doesn't YC have some code of conduct or legal/ethical guidelines?
Regardless of any claims of having this, I would say this behavior aligns with what I have seen over the last couple decades. I'm more surprised that other people would expect anything different?
Looking for ethics in an industry where a pluraility of founders are tied to Peter Thiel is a headscratchingly dense idea.
> Doesn't YC have some code of conduct or legal/ethical guidelines?
Sorry but lol you must be new here.
Imagine thinking in 2026 that an American tech company has ethics.
Only free individual can have strong ethics. There are no free people in capitalism, money is debt after all. Think of applied pressure once you sign under VC money and amount of brainwashing / gaslighting. I sincerely hope my observation is wrong.
If you are going to go down that road: life is debt, and there is no true freedom. We are bound by the needs of our meat-containers, after all.
I don't like unfettered capitalism, but when I consider economies that have existed over time, it certainly looks like constrained capitalism affords the most freedom.
When you are a team of 3 people eating ramen there is no legal or ethical compliance department.
Like every other VC firm, the only thing they care about is money. They can pretend to morals, but they will never sacrifice one for the other in any meaningful way.
They scrape "Show HN" as well. I got put on a list and continue to get spam to this day.
For me, its those Who's hiring or Who wants to get hired posts. I used a throwaway email once and got emails about SEO and AI projects.
I don’t engage. I mark as spam, block the sender/domain, and move on.
Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.
That's nothing. Former/current YC founders are also abusing BookFace.
I did YC and now work at a frontier lab.
I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.
Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."
I immediately realize it's engagement farming + free labor. I said "No thanks."
Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"
Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)
---
Company: Aden (W20)
Contact: Vincent Jiang, Founder
Github: https://github.com/aden-hive/hive
I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
Sure but these YC spammers are identifiable and have much more to lose https://www.ycombinator.com/ethics/
> Some examples of ethical behavior we expect from founders are:
> - Not spamming members of the community
> To maintain our community, if we determine (in our sole discretion) that a founder has behaved unethically during or after YC, we will revoke their YC founder status. This includes access to all Y Combinator spaces, software, lists and events. All founders in a company may be held responsible for the unethical actions of a single co-founder or a company employee, depending on the circumstances.
Has this ever actually been enforced?
Just Medobed (S23). For lying to YC partners.
Edit: Apparently "about a dozen companies"[0] have been booted for ethics violations.
0: https://techcrunch.com/2021/06/09/does-what-happens-at-yc-st...
> > - Not spamming members of the community
Ah... but there's the rub.
Define "the community."
Do random GH accounts count as "members of the YC community"?
Sorry, but unsolicited contact, much as I hates, HATESSSS it, is a classic component of any business, and has been, for many decades. I don't think it would be appropriate for a business organization to prohibit its members from engaging in "cold calling," of which, UCE is really an example.
Using the YC branding/name, however, is a different matter.
Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.
I’m also getting “saw you on GitHub” spam from voice.ai
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.
FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.
General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
We all use different domains for sending cold outreach. This isn't an amateur hour, come on.
That's exactly what I've been doing with solicitation emails, reporting as SPAM on gmail.
Even before AI, I found it super annoying when I got spam from companies touting their YC cred.
They're literally hurting their own brand, as well as YC's.
People here assume that YC is some kind of ethics benchmark for business. It's not.
I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?
They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one. is that a feasible thing to ask for?
If you change the email address, you change the commit hash. And yes, suddenly your local branches are orphaned.
Of course, there's nothing stopping you from using a git-only email address (nospam-6thbit@yourdomain) and routing that to /dev/null. GitHub can't change email addresses, but you can.
They literally have a setting to block pushes with any email other than the noreply one, lol.
You'd think so, but no!
They only do that if you set up that specific email on your account. Not if its 'any email other than the noreply one'.
> When you push to GitHub, we’ll check the most recent commit. If the author email on that commit is a private email on your GitHub account, we will block the push and warn you about exposing your private email.
Perhaps my usecase is niche, but I sometimes work with other git servers from the same machine with different emails and I don't want to set up all those on GH. Global settings don't help here, per-repo settings help but this doesn't come along when you clone a new one.
My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
N.B. Using service-specific emails is trivial - you don't need separate email accounts. Just use email aliases, e.g. "john.smith+github@gmail.com" -- which is an alias called "github" for "john.smith@gmail.com"
A simple regex filter will get rid of that. Now, if you use your own domain and have it configured as a catch-all, then you could do github@domain.tld.
I'm not saying I do this but if I were as smart as I think I am I would have given a Gmail example rather than the example you've given to avoid bots just looking up my website and starting to bypass my setup... ;) ;) ;)
Also, spammers generally don't seem to be going to the effort to apply regex filters to the data they've scraped...
IF alias NOT ON allowList MOVE TO specialLittleFolder
By far the worst one is always going to be something generic like contact@, but my email provider is very good at filtering out those appropriately. :)
I self host email, and I have never gotten spam to any email "constructed" from the domain, other than random attempts to things like "accounting@domain.tld" etc.
But the email I used to interact with the Linux kernel mailing list I had to null route after a while, it got so much spam. I used a throwaway for just that purpose of course, so no big deal.
Don't spammers have an automatic filter to cleanup that?
You'd have thought so, but no, in my experience this works very well. People doing this kind of spamming don't seem to be particularly bright, nor do they seem to spend any time/effort to clean up their scraped database.
I got some emails like this from overseas developers looking to borrow my Linkedin to land a higher paying job.
Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.
I was also spammed (twice) by voice.ai.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
> I'm putting my email on GitHub precisely to give people a way to contact me.
They’re not only looking at the public email in your profile, they’re also looking at your committer email (git config user.email). You could argue that you’re not putting that out for people to contact you.
(I’ve used that trick a couple times to reach out to people, too, but never mass emailing.)
Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers? For last few years I saw they "try" to look legit, by claiming addresses are managed by some Hungarian/Spanish shell company, hoping no one will be able to afford pursuing infractions over borders.
There's probably a law against it, but I've always thought a legal company could make decent money taking cases like this in bulk for free, on the condition that they get to keep all the compensation, while the "client" still gets the satisfaction of punishing the offending party.
On the U.S., only Attorneys General can go after violators of the CAN-SPAM Act.
It needs to be modified like how individuals can go after telemarketers.
That’s pretty much class action lawsuits!
This is hard, because private right of action in Europe is often very limited, and the damages are low.
THe US basically has a "private police force" for certain laws, notably the ADA. Many people are against this, I personally think it's a great idea and something countries should be doing a lot more of of.
> Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers?
A lawyer
They spammed me as well.
Couldn’t github replace all public commits author info email by a username@author.github.com email automagically ?
You can’t change anything about a commit without breaking the chain of SHA hashes in the commits, which causes pulls to break.
GitHub hides the emails on their web UI, but nothing stops people from pulling the repository with a Git client and looking at the emails in the commit log after doing so.
Which is why you should be careful to never use your actual email in git commits.
When I made a patch to the Linux kernel I did have to use a real email, since you have to send to their mailing list. I used a throwaway email for it, which I have since edited on my mail server config to forward to /dev/null (yes, I'm one of the weirdos still self hosting email in 2026). The amount of spam I got was insane, and not even developer relevant spam.
This makes me wonder how the Linux kernel git system deals with GDPR data deletion requests. Are they even legally allowed to deny them?
You have to configure your own Git client manually. But you can configure GitHub to block pushes from any email other than the no reply email GH generates for you.
Maybe a dumb question, but isn't this trivially solved with this .gitconfig?
Sure, as long as you want to rewrite all of the history of all of your public repositories.
Oh yeah, I have always had this as it was pretty clear to me that the info in the email field is public.
For commits you author.
Kernel guidelines now have a more verbose section about tagging: https://www.kernel.org/doc/html/latest/process/submitting-pa...
Not all projects are hosted at github. You also might want to receve relevant mail from fellow developers.
Fair point. Pretty sure there is a way to have a few .gitconfig files, with the active one based on the remote URL domain, but it is more work.
Perhaps, but it doesn't change the fact that this is bad behavior for the company sending the email. Since YCombinator funded this company it makes sense that YC would want to know about how they are conducting business.
Happens all the time.
Big deal, so does every other company.
If you're lonely just upload a few AI keywords to a repo. You'll get emails forever.
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
I observed the same thing and it was only when you told me the main domain that I found their website.
> Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain
This is a really bad look on them.
https://www.whatsmydns.net/domain-age?q=buildrunanywhere.org and https://www.whatsmydns.net/domain-age?q=runanywheresdk.com
Both these domain were registered only 36 days ago
Their main domain had been around for 6 month (216 days) tho:- https://www.whatsmydns.net/domain-age?q=runanywhere.ai
(I also couldn't see any post created by them on YC checking algolia from their website fwiw)
Seeing their star history on their product, I see some few interesting observations[0] Their star history was almost horizontal between december and february until it got vertical all of a sudden.
[0]:https://www.star-history.com/#runanywhere.ai/runanywhere.ai&...
I looked through their linkedin and found this website owned by them as well https://www.openclawpi.com/ and using the YC brand here as well. (registerered 26 days ago)
This website looks fairly AI generated to me as well and there are some bugs within the original website as well which I am now incredibly more unsure of if generated by AI or not given the similarities between the two websites UI/UX as well.
Change your email to something like: myemail+gh@mail.com (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.
you can also autofilter that tag to route to spam
Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.
They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.
Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.
I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?
Over many years, I have got email from university for survey / research.
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml
I've received the exact same email from the same company.
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
the problem is that the emails arent typically sent from the main domain.
in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.
so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.
Sometimes they also scrape HN profiles, it is most irritating.
I get these types of emails daily -- never bothered to check whether they are YC or not as I don't read them; I can tell from the first sentence that it's not a company I know and am doing biz with and it goes directly into z-file. Most seem to have gotten my email address from LinkedIn, others from GH.
Side note but the trick I learned, at least with gMail is not to delete the email (which doesn't prevent you from getting new ones), or even reporting as spam (which may or may not work), but instead dragging it into the Promotions tab, into which all future emails from that email address will automatically go. Promotions tab then acts as your Trash.
The quickest way to get me to never do business with you is to send me spam.
I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
> how much bureaucracy would be involved... it varies from country to country, but filling a complaint on that matter is usually quite straightforward
I did receive these kinds of emails as well.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.
HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.
Partial agree. YC created HN, though the HN community is very much _unlike_ anything I've seen at YC.
HN is deeply skeptical, technical, cynical, sarcastic. It's a great place to learn new things and I've loved it since I found it in 2012.
The current startup climate (not just limited to YC) feels very AI bro YEAHHLETSFUCKINGGOO (and I say this as a founder myself having gone through YC recently in W25).
I also received this shitty email 3 days ago
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
After 25 years on the internet dealing with spam, it would never even occur to me to invest the energy to write a letter to the offending companies investor. But more power to them I'd say!
> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.
May not necessarily be from commit messages, there's at least one way simpler way: simply adding .gpg to the end of any user URL will return that user's public GPG key.
I don't understand what you're suggesting. The public keys on GitHub are stripped of email addresses — I checked before replying.