FRESH

Hacker News

Home

Tell HN: YC companies scrape GitHub activity, send spam emails to users

667 points by miki123211

by martinwoodward

21 subcomments

Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.

by scottydelta

4 subcomments

YC is a proud investor in Flock, what YC Ethics thing are you talking about?

by keiferski

2 subcomments

I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.

by an0malous

0 subcomment

Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.

by unfunco

2 subcomments

I also had unsolicited spam from Vincent Jiang of Aden, another YC company.

    Hi Daniel,

    I just came across your profile on social media and wondered if you'd be interested in joining our Discord community for AI agent development. Currently, we see that agents break, loop, get lost, hallucinate, and cost a fortune, and therefore built a space where developers can share challenges and insights.

by cyann

2 subcomments

Got this spam today on my GitHub address, YC affiliated:
From: henry@joincactuscompute.com
Hey,
I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.
Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.
We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.
GitHub: https://github.com/cactus-compute/cactus
We are keen to get your feedback, and star if feeling generous.
Thanks a million

by armchairhacker

0 subcomment

I remember this being discussed a while ago
https://news.ycombinator.com/item?id=9332418 (11 years ago)
https://news.ycombinator.com/item?id=20660624 (7 years ago)
https://news.ycombinator.com/item?id=27855152 (5 years ago)
https://news.ycombinator.com/item?id=30900237 (4 years ago)
Seems it’s a reoccurring issue

by elwebmaster

2 subcomments

Just got a SPAM email from a Github scraper while reading this thread:
From: james@techglobal.website Quick note – your GitHub profile Hi X,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Regards, James
If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.

by kristoff_it

2 subcomments

I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.

by neya

4 subcomments

This is atleast fine as it's just spam, I got pulled into an actual scam and it never made it to the frontpage.
https://news.ycombinator.com/item?id=45357205

by c16

1 subcomments

Email address privacy is a feature offered by Github and replaces your day to day email: https://docs.github.com/en/account-and-profile/how-tos/email...

by callamdelaney

1 subcomments

YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.

by dewey

2 subcomments

This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.

by WhatsName

8 subcomments

Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.

by agcat

0 subcomment

This is so weird and true. The most unfortunate thing is that a lot of these data enrichment platform where they encourage these workflows but its clear that end person doesn't appreciate it.

by mattpal21

0 subcomment

Also I found this gem in my inbox - not just YC companies :/
""" Hi there!
I noticed you’re interested in on-device AI development and wanted to flag a new bounty program we just launched with Qualcomm. We’re looking for developers to build a local Android AI app (using the Nexa SDK). Since you're already exploring this space, I thought this might be an easy win for you.
The Bounty at a glance: - Prizes: $6,500 cash pool + Flagship Snapdragon devices. - Perks: Direct partnership & marketing spotlight from Qualcomm (huge for visibility) - The Ask: Build a working Android AI app that runs locally.
Registration is open now: https://sdk.nexa.ai/bounty
I want to help you win. Once you register, please reply to this email. I’d be happy to advise on your ideas to increase your chances of winning. Or, if you have an existing project, I can guide you on how to port it to NexaSDK for the submission
Best, Lynn @ Nexa AI """

by ttul

0 subcomment

Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.

by dathinab

0 subcomment

As a side note unsolicited advertisement of this kind is illegal in Europe.
And them claiming "they didn't know" can be dismissed given that many dev on GH have location information set.
It also in general doesn't change anything. the law doesn't care if you know or didn't.
Startups starting out their journey by committing crime is always a grate sign for their trustability.

by ChrisMarshallNY

1 subcomments

I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).

by oldned

0 subcomment

one thing we can do: - mark it as spam. if enough people do this it does have an impact.
something GitHub can do: - offer an email address like [spam@github.com] so we can easily forward suspect TOS violations.

by coffeecoders

0 subcomment

For me, its those Who's hiring or Who wants to get hired posts. I used a throwaway email once and got emails about SEO and AI projects.
I don’t engage. I mark as spam, block the sender/domain, and move on.

by csense

2 subcomments

I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.
I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.

by theturtletalks

2 subcomments

General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.

by scosman

0 subcomment

I’m also getting “saw you on GitHub” spam from voice.ai
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.

by pscanf

3 subcomments

I was also spammed (twice) by voice.ai.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.

by EdNutting

1 subcomments

My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.

by oefrha

0 subcomment

Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.

by mattpal21

0 subcomment

Yo, I also got the email:
""" Hi Matt,
I found your GitHub and thought you might like what we're building. We're developing an open source SDK that runs LLMs directly on-device.
We're getting about 45 tokens per second on iPhones, with support for Swift, Kotlin, React Native and Flutter. There's also a fully offline voice pipeline built in, so everything runs locally. We recently got into Y Combinator and are focused on expanding support to more edge devices and continuously improving performance.
If you're curious, here's the repo: github.com/RunanywhereAI/runanywhere-sdks
Feel free to reply to this email with any feedback or ideas you'd like to explore with on-device AI, or if you'd be interested in contributing. I'd love to hear your thoughts.
Best, Aditya """
Just to share the entire email, I think it's pretty well written, I went ahead and talked to the team, they were very curious and took my feedback regarding their flutter sdks very seriously, and they seem to be great people. Also, just an fyi, I tried their sdks, it's great! and I've been loving their apps as well.
I think their team is great, and I asked them for adding the rag implementation, they did it in less than week and it's pretty impressive. I think it's worth checking it out, It's easier to demean someone in public like that but might be worth checking.

by mustaphah

1 subcomments

Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."
I immediately realize it's engagement farming + free labor. I said "No thanks."
Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"
Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)
---
Company: Aden (W20)
Contact: Vincent Jiang, Founder
Github: https://github.com/aden-hive/hive

by nektro

0 subcomment

first time I'm hearing that this is frowned upon. i usually ignore or politely decline

0 subcomment

by lordgrenville

4 subcomments

Maybe a dumb question, but isn't this trivially solved with this .gitconfig?

    [user]
         name = lordgrenville
         email = <some_kind_of_id>+lordgrenville@users.noreply.github.com

by 6thbit

2 subcomments

I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?
They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one. is that a feasible thing to ask for?

by jazzpush2

0 subcomment

That's nothing. Former/current YC founders are also abusing BookFace.
I did YC and now work at a frontier lab.
I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.

by dariubs

0 subcomment

But is it ok to send email to your repos stargazers?

by sieep

0 subcomment

I consider any company funded by YC to be engaging in legally grey or fraudulent activity.

by danbrooks

0 subcomment

I got some emails like this from overseas developers looking to borrow my Linkedin to land a higher paying job.

by LeoPanthera

0 subcomment

They scrape "Show HN" as well. I got put on a list and continue to get spam to this day.

by b8

0 subcomment

Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.

by ttoinou

2 subcomments

Couldn’t github replace all public commits author info email by a username@author.github.com email automagically ?

0 subcomment

by jedberg

0 subcomment

FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.

by bakugo

2 subcomments

This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.

by ting0

1 subcomments

Change your email to something like: myemail+gh@mail.com (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.

by scirob

0 subcomment

This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions

by pmdr

0 subcomment

People here assume that YC is some kind of ethics benchmark for business. It's not.

by apparent

0 subcomment

Even before AI, I found it super annoying when I got spam from companies touting their YC cred.
They're literally hurting their own brand, as well as YC's.

0 subcomment

by dukeofharen

0 subcomment

You can add Alignerr to the list as well.

by rlaabs

0 subcomment

I've received the exact same email from the same company.

by j16sdiz

0 subcomment

Over many years, I have got email from university for survey / research.
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml

by outloudvi

1 subcomments

I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.

by malmeloo

0 subcomment

Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.
They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.
Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.
I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?

by jacquesm

0 subcomment

Sometimes they also scrape HN profiles, it is most irritating.

by ellieh

0 subcomment

this happens to me so often that I wonder if it's something YC suggest people do

by suprjami

0 subcomment

Big deal, so does every other company.
If you're lonely just upload a few AI keywords to a repo. You'll get emails forever.

by axegon_

1 subcomments

I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...

by tom_m

0 subcomment

Happens all the time.

by davidcollantes

0 subcomment

I get spams referring my GitHub username from time to time too: https://netbros.com/1771535100/. I swear it has gotten worse the last year or two.

by rodrigodlu

0 subcomment

I did receive these kinds of emails as well.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.

by Rapzid

0 subcomment

Bruh, they are probably using another YC company that provides this service.

by insane_dreamer

0 subcomment

I get these types of emails daily -- never bothered to check whether they are YC or not as I don't read them; I can tell from the first sentence that it's not a company I know and am doing biz with and it goes directly into z-file. Most seem to have gotten my email address from LinkedIn, others from GH.
Side note but the trick I learned, at least with gMail is not to delete the email (which doesn't prevent you from getting new ones), or even reporting as spam (which may or may not work), but instead dragging it into the Promotions tab, into which all future emails from that email address will automatically go. Promotions tab then acts as your Trash.
The quickest way to get me to never do business with you is to send me spam.

by hmokiguess

1 subcomments

HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.

by idoxer

0 subcomment

I also received this shitty email 3 days ago

by nprateem

0 subcomment

There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.

by koakuma-chan

1 subcomments

I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!

by JOHN34567

0 subcomment

[dead]

by JOHN3456

0 subcomment

[dead]

by NimrodKramer

0 subcomment

[dead]

by mattpal21

0 subcomment

[dead]

by atfzl

3 subcomments

[flagged]

by ValentineC

1 subcomments

> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.