DEV Community

Cover image for GitHub spam is getting out of hand!👎
Programming with Shahan
Programming with Shahan

Posted on

GitHub spam is getting out of hand!👎

Spam on GitHub now seems to be doping up🐜constantly.

But WHY?

Image of github scammers

I know spam isn’t new. Fraud, malware, or 'next-to-spot' content is the challenge of any user-generated platform. But I can't believe it's rising dramatically on GitHub. Also going on in the DEV Community comment section.🤦‍♂️

🕵️♂️ Crypto Scam in the Tangle

I recently noticed a change in crypto related spam on GitHub. This scam floods GitHub, tagging a thousands of users before quickly getting deleting.

Image of github scammers 2

It’s also a clever way to prevent unsolicited mail filters and make reporting more difficult. And then it’s not just a minor problem. These spammy comments can persist for months, damaging the popularity of the platform.

These accounts that seem suspicious have a few things in common:

  1. 🚫 No Picture: They don't have any pictures on their profiles.
  2. 💤 Not Much Activity: Even though they've been around for a while, they haven't done much on the site.
  3. 🧹 Few or No Projects: If they have any projects, they usually only have one, and it's not very active.

It's crazy that GitHub doesn't have a report button! Do you know how to report something? You have to copy the link, go to the user's profile, click Block & Report, then click Report Abuse. After that, you have to click a bunch more buttons, like saying it's harmful or suspicious content😏. Finally, you paste the link and explain why it's bad. It's way too complicated! I've never reported anything because it's too much work. If GitHub wants users to help, they need to make it easier!

Image of github scammers

🦟 GitHub's Weak point

GitHub setups seems to offer the worst when it comes to managing spam.

It immediately sends out email notifications upon posting, even for spam posts, and then quickly deletes postings, making it harder to report.

It’s a gap that spammers cleverly exploit, annoying users.

It’s a relentless attack that current systems on GitHub struggle to incorporate. With spammers changing their tactics, it is becoming increasingly difficult to effectively address the problem.

GitHub’s current reporting system is a complex problem, with multiple steps on different pages. It is time-consuming and inefficient, and discourages users from spamming.

Security tools tend to take a backseat💤 to premium features, so it’s no wonder the platform struggles to keep up with spam attacks.

🪂 Solutions

So, what's the solution here? What options does GitHub have? Well, I've got a couple of "simple" ideas.

  1. 🔄 Check if users are copying and pasting the same comments everywhere in a short period of time.
  2. 🧆 Compare comments across the site to catch patterns.
  3. 🚩 Watch out for users tagging lots of people repeatedly.

First off, if a user is dropping lots of comments in a short time, maybe GitHub could check if those comments are mostly identical.

Sure, this might catch some real users who use templates, but there's gotta be a way to weigh that against other factors like their activity history. If someone's got no repos, no commits, no profile pic, bio, SSH keys, and they're just commenting, that's a bunch of red flags.

Moreover, if lots of comments have the same title, content, image, and links, and they're tagging the same people, that's a big red flag.

🛬 Conclusion: Time to change

Spam on GitHub isn’t just a minor problem; It is a serious threat to the integrity of the platform and the user experience.

It’s time for GitHub to prioritize security measures and invest in robust anti-spam tools. By doing so, they can provide a safe and happy environment for all users.

I'm sure smart folks are working on it, but they need a solid plan. Maybe train some AI to filter or rank comments automatically. If there are too many red flags, hold those comments for human review. Spam isn't new, and it's only getting worse.

Hopefully GitHub will hear this call for change and take reasonable steps to address this persistent issue. Ultimately, a more secure GitHub benefits everyone.👍

Thank you for taking the time to read this article.

If you’ve encountered similar issues on GitHub or have an idea you’d like to share, please leave a comment below. Your contribution can be valuable in helping developer community address this challenges effectively.

🚧If you ever wondered about the future of frontend development, you can read this article.


Top comments (15)

610470416 profile image

Where is Microsoft's AI? Can't AI identify robots from normal users?
It is a shame for github to use 2FA and still can't prevent spams.
And 2FA caused a lot normal users fail to login!

codewithshahan profile image
Programming with Shahan • Edited

Yeah.. that's true. Microsoft's AI is not intelligent enough to handle that. I found two popular SPAM issues that developers facing on GitHub:


Image of github spam issue

Here is another one: "You are marked as spam, and therefore cannot authorize a third party application."

screenshot of github discussion about spams

These GitHub discussions offer solutions to FIX them.

respect17 profile image
Kudzai Murimi

Will try it, thanks for sharing

not-ethan profile image

I havnt seen this and I do check GH a few times a day and my email. You can problu make a userscript to make it easer to report this.

codewithshahan profile image
Programming with Shahan

Thanks.. I will try.

highcenburg profile image
Vicente G. Reyes

Yup. Got tagged twice about that crypto scam on GitHub

codewithshahan profile image
Programming with Shahan

Report them all 🤦‍♂️

stojakovic99 profile image
Nikola Stojaković

Same here. GitHub is the last site I would expect they would use for this purpose.

highcenburg profile image
Vicente G. Reyes

Exactly, me too!

igorrubinovich profile image
Igor Rubinovich

They are/will be getting better by ai-generating a variety of repos and commits, and the only thing that can be characteristic is account recency, which can also be overcome by advance planning.
There are also at least hundreds if not thousands of bot accounts here on, some of which link to spam accounts on github.

codewithshahan profile image
Programming with Shahan

I agree. bot accounts are messing up everywhere.

polterguy profile image
Thomas Hansen

The problem is there are way too many "normal" people registered on GitHub. Spam doesn't work on devs, we're too smart, so when there was only devs on GitHub everybody left us alone. Today there's 100 million users on the platform.

Realizing there's only 27 million devs in the world implies 73 million of its users are not devs, resulting in psychopath marketers having embraced it for spam purposes ...

Return it back to devs and no more problem ...

codewithshahan profile image
Programming with Shahan

YOU NAILED IT. It's unlikely that developers would intentionally spam people or fall for spamming tactics. I don't believe it. Of course, "we are too smart" than that. The real issue arises when these interruptions disrupt our workflow.

jonrandy profile image
Jon Randy 🎖️

?? How do you get spam on GitHub? I don't get it. I've certainly never had any

codewithshahan profile image
Programming with Shahan

Cool.. You never experienced it. However some people get spam through Pull requests, repositories, or user profiles promoting irrelevant or harmful content. sometimes it gets worse.