Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
koito17 1 hours ago [-]
I don't have any specific suggestions, but I do want to give thanks for implementing functionality to block pushes if the email field is *not* using an anonymized mail address.
It's one thing to offer anonymous e-mail addresses, but it's also awesome that GitHub can help prevent mistakes that would otherwise leak a user's e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don't, so it's nice seeing this little feature exist.
ayhanfuat 3 hours ago [-]
I am also getting constant spam because apparently they can see who starred a repo (i.e. I see you starred repo x and we are doing something similar). I am not starring anything anymore.
danesparza 41 minutes ago [-]
I didn't realize this was against the Github TOS - I just thought it was par for the course for recruiters nowadays. This is good to know!
Are no-reply emails associated with the accounts if the username is changed? That's one reason why I switched back to my personal email.
skwashd 40 minutes ago [-]
I know it is against the ToS. I've reported multiple organisations doing this. Last time I reported one, support closed the ticket saying the activity is off platform so they can't do anything.
AznHisoka 2 hours ago [-]
Maybe I am missing something, but can’t you simply not show the email address in a git commit? (Sincere question, not saying this is trivial. i am dumb and like to ask dumb questions even if might be embarassing)
If someone wants to message someone, it goes through github notifications or github emails them
Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc
easton 2 hours ago [-]
Git commits have a email address as a required field[0], although some people put something bogus in there. And then it's in the data provided when you clone the repo onto your machine even if you aren't using the GitHub APIs.
To his point, you can set that to the no-reply email address GitHub gives you if you don't want mail but do want the commit to be linked to your GitHub account.
That would be a fundamental change to how Git works, not just GitHub. Even if the web UI didn't show it, a simple `git log` would reveal it.
You can mask your email address in git commits but a lot of open source projects won't accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they'll give you access to the GitHub repo (looking at you Unreal Engine!)
So, no, I don't think they could simply "not show the email address".
AznHisoka 2 hours ago [-]
Makes sens! Appreciate the explanation!
trympet 39 minutes ago [-]
Nice, thank you Martin. How do you punish the fraudsters? Do you send them to prison over CFAA violation terms of service?
skeptic_ai 3 minutes ago [-]
Will send a strong email: Don’t do bad things.
ericol 1 hours ago [-]
I've had more than a few instances of this over the past 2 years, and my reply is exactly the above.
"What you are doing is against Github's TOS"
cyann 2 minutes ago [-]
Got this spam today on my GitHub address, YC affiliated:
From: henry@joincactuscompute.com
Hey,
I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.
Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.
We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.
We are keen to get your feedback, and star if feeling generous.
Thanks a million
scottydelta 2 hours ago [-]
YC is a proud investor in Flock, what YC Ethics thing are you talking about?
ls-a 2 hours ago [-]
There is a YC startup who's product is a blacklist of employees so that other startups don't hire them. Female founders. Forgot its name.
Edit: With AI's help I found its name. Startup called Bad News.
shrubble 1 hours ago [-]
How would that even be legal? (Although I can't find such a startup with any kind of search engine)
akerl_ 44 minutes ago [-]
Why would it be illegal?
john_strinlai 9 minutes ago [-]
i am not sure of anywhere it is illegal.
but areas i am familiar with can consider a negative reference to be defamation, thus anyone providing a negative reference should only do so if they are able to defend it (i.e. prove their statement is substantially true, or prove that the statement was honestly believed to be true and published with no malice or reckless disregard).
seems risky, at least, to build a whole business around negative references that could potentially cross the line into defamation. but that type of thinking is probably why i am not rich.
drcongo 3 minutes ago [-]
It's definitely illegal in the UK.
k33n 1 hours ago [-]
I can't find any website for it. Are you sure it's not just some posting category on Bookface, YC's internal social network?
ls-a 1 hours ago [-]
According to chatgpt there was backlash and the startup renamed itself. I remember when i saw it in YC's startup list a few years ago it seemed stealthy (no website etc.)
cassonmars 2 hours ago [-]
And Cluely
tasn 2 hours ago [-]
Cluely is not YC.
keiferski 2 hours ago [-]
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
dewey 3 hours ago [-]
This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
But that is someone pretending to be YC which is sort of less interesting than a YC company doing something bad. Because phishers imitate legit companies all the time. Easy to get roped in and I sympathise, anyone is suseptable (today I almost clicked the phishing training email as it looked urgent and pushed the right buttons)
4 hours ago [-]
ChrisMarshallNY 4 hours ago [-]
Looks like GH nuked it, though.
Hope they didn’t get too many folks.
nubinetwork 3 hours ago [-]
That's a little creepier than the time I got an email from someone trying to push a new crypto coin to me because I contributed to OSS.
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
thinkingtoilet 2 hours ago [-]
Like every other VC firm, the only thing they care about is money. They can pretend to morals, but they will never sacrifice one for the other in any meaningful way.
buellerbueller 1 hours ago [-]
Imagine thinking in 2026 that an American tech company has ethics.
haute_cuisine 18 minutes ago [-]
Only free individual can have strong ethics. There are no free people in capitalism, money is debt after all. Think of applied pressure once you sign under VC money and amount of brainwashing / gaslighting. I sincerely hope my observation is wrong.
kristoff_it 4 hours ago [-]
I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
neya 3 hours ago [-]
I don't blame you, the FOMO is real to the point even basic ChatGPT wrappers are getting funded these days, I guess.
jvwww 1 hours ago [-]
I'm always interested to understand - what constitutes a basic ChatGPT wrapper?
Is Legora, which is doing very well, a basic ChatGPT wrapper? Because if you don't view it as one, it certainly started as one.
AznHisoka 2 hours ago [-]
Same here, having YC attached to your name is not the flex you think it is, its even the opposite for me
scosman 12 minutes ago [-]
I’m also getting “saw you on GitHub” spam from voice.ai
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.
EdNutting 2 hours ago [-]
My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
EdNutting 2 hours ago [-]
N.B. Using service-specific emails is trivial - you don't need separate email accounts. Just use email aliases, e.g. "john.smith+github@gmail.com" -- which is an alias called "github" for "john.smith@gmail.com"
input_sh 2 hours ago [-]
A simple regex filter will get rid of that. Now, if you use your own domain and have it configured as a catch-all, then you could do github@domain.tld.
gus_massa 2 hours ago [-]
Don't spammers have an automatic filter to cleanup that?
EdNutting 2 hours ago [-]
You'd have thought so, but no, in my experience this works very well. People doing this kind of spamming don't seem to be particularly bright, nor do they seem to spend any time/effort to clean up their scraped database.
jacquesm 24 minutes ago [-]
Sometimes they also scrape HN profiles, it is most irritating.
lordgrenville 2 hours ago [-]
Maybe a dumb question, but isn't this trivially solved with this .gitconfig?
[user]
name = lordgrenville
email = <some_kind_of_id>+lordgrenville@users.noreply.github.com
haute_cuisine 14 minutes ago [-]
Not all projects are hosted at github. You also might want to receve relevant mail from fellow developers.
darknavi 2 hours ago [-]
Sure, as long as you want to rewrite all of the history of all of your public repositories.
lordgrenville 1 hours ago [-]
Oh yeah, I have always had this as it was pretty clear to me that the info in the email field is public.
theturtletalks 3 hours ago [-]
General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
suyash 2 hours ago [-]
That's exactly what I've been doing with solicitation emails, reporting as SPAM on gmail.
pscanf 4 hours ago [-]
I was also spammed (twice) by voice.ai.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
notpushkin 2 hours ago [-]
> I'm putting my email on GitHub precisely to give people a way to contact me.
They’re not only looking at the public email in your profile, they’re also looking at your committer email (git config user.email). You could argue that you’re not putting that out for people to contact you.
(I’ve used that trick a couple times to reach out to people, too, but never mass emailing.)
zvqcMMV6Zcr 4 hours ago [-]
Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers? For last few years I saw they "try" to look legit, by claiming addresses are managed by some Hungarian/Spanish shell company, hoping no one will be able to afford pursuing infractions over borders.
RobotToaster 3 hours ago [-]
There's probably a law against it, but I've always thought a legal company could make decent money taking cases like this in bulk for free, on the condition that they get to keep all the compensation, while the "client" still gets the satisfaction of punishing the offending party.
rationalist 2 hours ago [-]
On the U.S., only Attorneys General can go after violators of the CAN-SPAM Act.
It needs to be modified like how individuals can go after telemarketers.
notpushkin 2 hours ago [-]
That’s pretty much class action lawsuits!
KomoD 3 hours ago [-]
> Is there any company that will take my money to solve GDPR issues? And by solve I mean sue the spammers?
A lawyer
victorbjorklund 3 hours ago [-]
They spammed me as well.
j16sdiz 2 hours ago [-]
Over many years, I have got email from university for survey / research.
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml
rlaabs 3 hours ago [-]
I've received the exact same email from the same company.
bakugo 3 hours ago [-]
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
18 minutes ago [-]
Imustaskforhelp 1 hours ago [-]
I observed the same thing and it was only when you told me the main domain that I found their website.
> Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain
(I also couldn't see any post created by them on YC checking algolia from their website fwiw)
Seeing their star history on their product, I see some few interesting observations[0] Their star history was almost horizontal between december and february until it got vertical all of a sudden.
I looked through their linkedin and found this website owned by them as well https://www.openclawpi.com/ and using the YC brand here as well. (registerered 26 days ago)
This website looks fairly AI generated to me as well and there are some bugs within the original website as well which I am now incredibly more unsure of if generated by AI or not given the similarities between the two websites UI/UX as well.
axegon_ 2 hours ago [-]
I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
dagi3d 1 hours ago [-]
> how much bureaucracy would be involved...
it varies from country to country, but filling a complaint on that matter is usually quite straightforward
outloudvi 3 hours ago [-]
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
john_strinlai 1 minutes ago [-]
the problem is that the emails arent typically sent from the main domain.
in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.
so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.
rodrigodlu 2 hours ago [-]
I did receive these kinds of emails as well.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.
idoxer 36 minutes ago [-]
I also received this shitty email 3 days ago
nprateem 2 hours ago [-]
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
koakuma-chan 4 hours ago [-]
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
lyu07282 1 hours ago [-]
After 25 years on the internet dealing with spam, it would never even occur to me to invest the energy to write a letter to the offending companies investor. But more power to them I'd say!
atfzl 4 hours ago [-]
[flagged]
bilekas 3 hours ago [-]
This is some next level spam posting. Not sure to be annoyed or impressed.
speedgoose 4 hours ago [-]
Why would you promote spam?
RobotToaster 3 hours ago [-]
I feel like spam is somewhat less offensive when it's for FOSS, assuming it isn't some faux FOSS freemium scam. It's about the only spam I wouldn't mind getting.
ChrisMarshallNY 4 hours ago [-]
I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
> Some examples of ethical behavior we expect from founders are:
> - Not spamming members of the community
> To maintain our community, if we determine (in our sole discretion) that a founder has behaved unethically during or after YC, we will revoke their YC founder status. This includes access to all Y Combinator spaces, software, lists and events. All founders in a company may be held responsible for the unethical actions of a single co-founder or a company employee, depending on the circumstances.
RobotToaster 3 hours ago [-]
Has this ever actually been enforced?
ChrisMarshallNY 3 hours ago [-]
> > - Not spamming members of the community
Ah... but there's the rub.
Define "the community."
Do random GH accounts count as "members of the YC community"?
Sorry, but unsolicited contact, much as I hates, HATESSSS it, is a classic component of any business, and has been, for many decades. I don't think it would be appropriate for a business organization to prohibit its members from engaging in "cold calling," of which, UCE is really an example.
Using the YC branding/name, however, is a different matter.
ValentineC 4 hours ago [-]
> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.
input_sh 3 hours ago [-]
May not necessarily be from commit messages, there's at least one way simpler way: simply adding .gpg to the end of any user URL will return that user's public GPG key.
Rendered at 14:57:53 GMT+0000 (Coordinated Universal Time) with Vercel.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
It's one thing to offer anonymous e-mail addresses, but it's also awesome that GitHub can help prevent mistakes that would otherwise leak a user's e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don't, so it's nice seeing this little feature exist.
How do I report that person, though? Your support page about reporting abuse assumes I know the person's Github account: https://docs.github.com/en/communities/maintaining-your-safe...
If someone wants to message someone, it goes through github notifications or github emails them
Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc
To his point, you can set that to the no-reply email address GitHub gives you if you don't want mail but do want the commit to be linked to your GitHub account.
[0]: https://git-scm.com/docs/git-commit#_commit_information
You can mask your email address in git commits but a lot of open source projects won't accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they'll give you access to the GitHub repo (looking at you Unreal Engine!)
So, no, I don't think they could simply "not show the email address".
"What you are doing is against Github's TOS"
From: henry@joincactuscompute.com
Hey,
I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.
Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.
We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.
GitHub: https://github.com/cactus-compute/cactus
We are keen to get your feedback, and star if feeling generous.
Thanks a million
Edit: With AI's help I found its name. Startup called Bad News.
but areas i am familiar with can consider a negative reference to be defamation, thus anyone providing a negative reference should only do so if they are able to defend it (i.e. prove their statement is substantially true, or prove that the statement was honestly believed to be true and published with no malice or reckless disregard).
seems risky, at least, to build a whole business around negative references that could potentially cross the line into defamation. but that type of thinking is probably why i am not rich.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
https://news.ycombinator.com/item?id=45357205
Hope they didn’t get too many folks.
https://news.ycombinator.com/item?id=9332418 (11 years ago)
https://news.ycombinator.com/item?id=20660624 (7 years ago)
https://news.ycombinator.com/item?id=27855152 (5 years ago)
https://news.ycombinator.com/item?id=30900237 (4 years ago)
Seems it’s a reoccurring issue
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
They’re not only looking at the public email in your profile, they’re also looking at your committer email (git config user.email). You could argue that you’re not putting that out for people to contact you.
(I’ve used that trick a couple times to reach out to people, too, but never mass emailing.)
It needs to be modified like how individuals can go after telemarketers.
A lawyer
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
> Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain
This is a really bad look on them.
https://www.whatsmydns.net/domain-age?q=buildrunanywhere.org and https://www.whatsmydns.net/domain-age?q=runanywheresdk.com
Both these domain were registered only 36 days ago
Their main domain had been around for 6 month (216 days) tho:- https://www.whatsmydns.net/domain-age?q=runanywhere.ai
(I also couldn't see any post created by them on YC checking algolia from their website fwiw)
Seeing their star history on their product, I see some few interesting observations[0] Their star history was almost horizontal between december and february until it got vertical all of a sudden.
[0]:https://www.star-history.com/#runanywhere.ai/runanywhere.ai&...
I looked through their linkedin and found this website owned by them as well https://www.openclawpi.com/ and using the YC brand here as well. (registerered 26 days ago)
This website looks fairly AI generated to me as well and there are some bugs within the original website as well which I am now incredibly more unsure of if generated by AI or not given the similarities between the two websites UI/UX as well.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.
so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
> Some examples of ethical behavior we expect from founders are:
> - Not spamming members of the community
> To maintain our community, if we determine (in our sole discretion) that a founder has behaved unethically during or after YC, we will revoke their YC founder status. This includes access to all Y Combinator spaces, software, lists and events. All founders in a company may be held responsible for the unethical actions of a single co-founder or a company employee, depending on the circumstances.
Ah... but there's the rub.
Define "the community."
Do random GH accounts count as "members of the YC community"?
Sorry, but unsolicited contact, much as I hates, HATESSSS it, is a classic component of any business, and has been, for many decades. I don't think it would be appropriate for a business organization to prohibit its members from engaging in "cold calling," of which, UCE is really an example.
Using the YC branding/name, however, is a different matter.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.