← Back to context

Comment by Ansil849

4 years ago

Yes, these kinds of marketing tactics are disgusting and despicable, but the broader issue is why does Github facilitate them by making user emails discoverable? There are tools like github-email [1], which allow you to:

> Retrieve a GitHub user's email even if it's not public. Pulls info from Github user, NPM, activity commits, owned repo commit activity.

Why does Github have so many ways to exfiltrate a user's email address?

[1]https://github.com/paulirish/github-email

19 comments

Ansil849

Reply
Shared404  4 years ago

Given that having an email address attached to commits is a fairly standard component of git, is there a way to prevent this?

Short of using burner/fake email addresses of course

  • judge2020  4 years ago

    The best way, at least when committing to GH, is to use your GH email itself like so

      8601934+judge2020@users.noreply.github.com

    You can find this in email settings https://github.com/settings/emails under “Keep my email addresses private”

    You can’t receive email at this address, so, hopefully, anyone that needs to contact you can find your real email elsewhere.

    • Shared404  4 years ago

      I don't actually use Github for my personal stuff, but that's good to know either way!

      Thanks for the heads up.

  • mwt  4 years ago

    The only (remotely) effective strategy I've seen is to use burners that only show up in commits and then report all companies using them to GitHub itself in the hopes that eventually those companies will somehow be reprimanded.

    Of course, the problems with this strategy are that the manual work scales poorly, there are two or more points of failure, and the best outcome is only marginally positive, doing nothing to deter future abuse.

    • myself248  4 years ago

      > the best outcome is only marginally positive, doing nothing to deter future abuse.

      This is the problem with virtually all spam remedies so far. If the penalty is that their success rate merely goes down, well it's already dismal, what's another few percent even matter? The economics are massively in their favor.

      Until they start getting kicked off platforms for a certain number of spam complaints, the way creators get kicked off platforms for a certain number of DMCA strikes (which can be bogus, that's a problem I'd not like to copy), there's nothing incentivizing them to really, really hesitate and check with legal before pulling the trigger on an email.

      Spammers should live in fear. Until we make that happen, nothing will change.

      2 replies →

lmz  4 years ago

Because the email is part of a Git commit (author and committer information) and your Github repo has public Git commits. "man git-commit" and search for "email" for details.

  • Ansil849  4 years ago

    Yes, I'm aware of how commits work, my point is that this kind of practice goes hand in hand with making it easy for spammers to harvest user emails.

woodruffw  4 years ago

GitHub behaves similarly to git, which uses emails as a weak form of identity. They’re not meant to be private in git’s model, and having them be public is not a serious problem absent bad actors (who should be banned for violating GitHub’s TOS).