Tell HN: YC companies scrape GitHub activity, send spam emails to users

Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.

The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.

From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...

I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.

YC is a proud investor in Flock, what YC Ethics thing are you talking about?

I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.

Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.

Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.

I also had unsolicited spam from Vincent Jiang of Aden, another YC company.

    Hi Daniel,

    I just came across your profile on social media and wondered if you'd be interested in joining our Discord community for AI agent development. Currently, we see that agents break, loop, get lost, hallucinate, and cost a fortune, and therefore built a space where developers can share challenges and insights.

Got this spam today on my GitHub address, YC affiliated:

From: [email protected]

Hey,

I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.

Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.

We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.

GitHub: https://github.com/cactus-compute/cactus

We are keen to get your feedback, and star if feeling generous.

Thanks a million

I remember this being discussed a while ago

https://news.ycombinator.com/item?id=9332418 (11 years ago)

https://news.ycombinator.com/item?id=20660624 (7 years ago)

https://news.ycombinator.com/item?id=27855152 (5 years ago)

https://news.ycombinator.com/item?id=30900237 (4 years ago)

Seems it’s a reoccurring issue

Just got a SPAM email from a Github scraper while reading this thread:

From: [email protected] Quick note – your GitHub profile Hi X,

I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.

Profile:

I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.

Regards, James

If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.

I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.

This is atleast fine as it's just spam, I got pulled into an actual scam and it never made it to the frontpage.

https://news.ycombinator.com/item?id=45357205

YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.

Email address privacy is a feature offered by Github and replaces your day to day email: https://docs.github.com/en/account-and-profile/how-tos/email...

As a side note unsolicited advertisement of this kind is illegal in Europe.

And them claiming "they didn't know" can be dismissed given that many dev on GH have location information set.

It also in general doesn't change anything. the law doesn't care if you know or didn't.

Startups starting out their journey by committing crime is always a grate sign for their trustability.

This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.

Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.

Yo, I also got the email:

""" Hi Matt,

I found your GitHub and thought you might like what we're building. We're developing an open source SDK that runs LLMs directly on-device.

We're getting about 45 tokens per second on iPhones, with support for Swift, Kotlin, React Native and Flutter. There's also a fully offline voice pipeline built in, so everything runs locally. We recently got into Y Combinator and are focused on expanding support to more edge devices and continuously improving performance.

If you're curious, here's the repo: github.com/RunanywhereAI/runanywhere-sdks

Feel free to reply to this email with any feedback or ideas you'd like to explore with on-device AI, or if you'd be interested in contributing. I'd love to hear your thoughts.

Best, Aditya """

Just to share the entire email, I think it's pretty well written, I went ahead and talked to the team, they were very curious and took my feedback regarding their flutter sdks very seriously, and they seem to be great people. Also, just an fyi, I tried their sdks, it's great! and I've been loving their apps as well.

I think their team is great, and I asked them for adding the rag implementation, they did it in less than week and it's pretty impressive. I think it's worth checking it out, It's easier to demean someone in public like that but might be worth checking.

I consider any company funded by YC to be engaging in legally grey or fraudulent activity.

Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.

I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.

I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.

For me, its those Who's hiring or Who wants to get hired posts. I used a throwaway email once and got emails about SEO and AI projects.

I don’t engage. I mark as spam, block the sender/domain, and move on.

I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.

Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).

General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.

I’m also getting “saw you on GitHub” spam from voice.ai

And they are using a different domain for the emails so the spam markers don’t hit their primary domain.

I get spams referring my GitHub username from time to time too: https://netbros.com/1771535100/. I swear it has gotten worse the last year or two.

Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.

They scrape "Show HN" as well. I got put on a list and continue to get spam to this day.

Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."

I immediately realize it's engagement farming + free labor. I said "No thanks."

Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"

Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)

---

Company: Aden (W20)

Contact: Vincent Jiang, Founder

Github: https://github.com/aden-hive/hive

That's nothing. Former/current YC founders are also abusing BookFace.

I did YC and now work at a frontier lab.

I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.

My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.

I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.

I was also spammed (twice) by voice.ai.

You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.

Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.

This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions

I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?

They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one. is that a feasible thing to ask for?

FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.

Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.

Maybe a dumb question, but isn't this trivially solved with this .gitconfig?

    [user]
         name = lordgrenville
         email = <some_kind_of_id>[email protected]

People here assume that YC is some kind of ethics benchmark for business. It's not.

this happens to me so often that I wonder if it's something YC suggest people do

Couldn’t github replace all public commits author info email by a [email protected] email automagically ?

Even before AI, I found it super annoying when I got spam from companies touting their YC cred.

They're literally hurting their own brand, as well as YC's.

I got some emails like this from overseas developers looking to borrow my Linkedin to land a higher paying job.

This sounded familiar, so I checked my inbox and I did indeed receive a similar email from [email protected] earlier this month:

> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.

What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.

I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.

Change your email to something like: [email protected] (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.

Over many years, I have got email from university for survey / research.

This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml

I've received the exact same email from the same company.

Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.

They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.

Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.

I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?

I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.

These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.

Big deal, so does every other company.

If you're lonely just upload a few AI keywords to a repo. You'll get emails forever.

Sometimes they also scrape HN profiles, it is most irritating.

Happens all the time.