from Hacker News

GitHub Spam

by bl4ckneon on 1/28/24, 10:45 PM with 97 comments

  • by jessriedel on 1/28/24, 11:15 PM

    I had a disreputable eBay seller use a similar trick: The Apple product they sold turned out to be counterfeit (unbeknownst to them, they claimed), so they took down the original eBay listing. For some reason, eBay prohibits you from leaving feedback for sellers on orders from listings that are taken down in this way. So this seller still has like 99.7% positive feedback and continues operating even though they at best wasted the time of dozens/hundreds of people who received counterfeit goods and either didn't notice or had to fight for a refund.

  • by albertzeyer on 1/28/24, 11:22 PM

    On those simple ideas to fix it: I don't think it's simple. Once you do simple heuristics, the other side will start doing it just a little bit more sophisticated, to get around the simple heuristics. So, then you improve the heuristics to catch the spammer. And again, the spammers get around that improved tests as well. And so on.

    In the end, you end up with similar spam filter methods as we also have for mails and probably as other social networks have as well. But this is far from simple. I don't think having a huge number of hand-crafted heuristics is really a good solution. I think it should be machine learning model which you train and it does it all automatically without too much false positives (and also not too much false negatives).

  • by zdw on 1/28/24, 11:51 PM

    Ah, this is actual spam as comments...

    I have a different problems - Github's notification settings are far too coarse, and if you're either subscribed to lot of repos, or have a lot of actions happening on those repos the flood of email messages you get on every comment or action a person or a CI process takes is just unmanageable.

    All I want is "If someone (ie, not a bot) specifically tags me on a PR where the CI is passing, send email once". This granularity unfortunately doesn't seem to be possible - that said, I would love to be wrong about this.

    I ended up turning off Github's email notifications for this reason, as the signal to noise is horrible.

  • by iBotPeaches on 1/28/24, 11:22 PM

    I concur - I saw the React Native repo getting spammed with hundreds of similar issues/prs. So many unique usernames and such a cumbersome process to report a painfully obvious spam account. I hit the limit of open abuse reports you could have. My attempt to help was ended - I was only 4 accounts in.

    Thought I would get creative and add comments to one of my existing reports of the other 10 or so spam accounts. The tickets were closed and only the main account was deleted - not the others mentioned in the ticket.

    So I gave up.

  • by Sparkyte on 1/28/24, 11:18 PM

    Internet is 5% useful important stuff and 95% spam. When a more intelligent organism finds our planet they will be so confused why we wasted so much digital space on senseless spam.

  • by ronnier on 1/29/24, 1:19 AM

    Also github pages and "app" pages are used to distribute scam dating site spam on social media platforms. The bad actors try to use the domain reputation of github to evade detection. It's extremely bad and seems to be out of control on github.

    Another thing, men, please, PLEASE, stop falling for these scams. No, beautiful women will not message you at random and show interest in you. Even unattractive ones won't. Please stop falling for these scams. Tell everyone you know to stop falling for these. If a random woman messages you to meet for sex, it's a scam. Do not fall for it, it will seem real and authentic, it's not. If you send nudes they will extort you out of money.

  • by dkarras on 1/29/24, 1:56 AM

    Same thing happens on Twitter. I login every week or so and my notifications are full of NFT scams. People tag me with an image and "new mint dropped!!!1" post, by the time I see it the tag is deleted but notification is still there.

  • by Animats on 1/28/24, 11:33 PM

    Github/Microsoft could sue the beneficiary of the spam. It's clear who that is.

    Binance is in legal trouble with the SEC right now.[1] Send this to the SEC lawyers going after Binance. You can find out who they are from SEC litigation announcements. If Binance can identify someone else to blame, they have a big incentive to do the work.

    [1] https://www.reuters.com/legal/binance-heads-court-seeking-di...

  • by rvz on 1/28/24, 11:28 PM

    > With the rise of generative AI and ChatGPT being able to write endless variations of 1 spam template to bypass the similarity check I just proposed above, content moderation will continue to be an uphill battle. It most likely will get even harder!

    Thanks to LLMs, the spam issue will get even worse on Github.

  • by paulproteus on 1/28/24, 11:33 PM

    Since LLMs model language, does anyone know of any LLM products/libraries that are spam detectors?

  • by fxtentacle on 1/31/24, 6:05 AM

    In my opinion, the fix should be to make it expensive to post spam.

    For example, every legitimate user of my open source project is probably fine with paying $1 to file an issue report. So I'd like to have a user setting that says "don't let anyone contact me unless they pay for it".

  • by quantumwoke on 1/28/24, 11:46 PM

    It's not just issues either. Fake repo spam is terrible as well, usually some form of credentials or cryptocurrency theft software. GitHub really needs to implement moderation, and fast.

  • by SadCordDrone on 1/29/24, 2:39 AM

    My first question is - are these spams fishing for direct victims, or some dirty SEO trick?

  • by arp242 on 1/28/24, 11:26 PM

    I have never experienced this kind of spam, and authors GitHub does not seem especially notable.

    But they are involved in cryptocurrency stuff. I guess that's why they were tagged in these threads.

    I think this says more about crypto grift than anything else. It's not "GitHub spam" so much as "cryptocurrency spam".

    Or: "cryptocurrency and associated grift and scams makes everything worse, part 151"

  • by thatxliner on 1/29/24, 5:18 AM

    I got the exact same comment on one of my repos as well

  • by mschuster91 on 1/28/24, 11:23 PM

    God, these crypto "airdrop" scams annoy me... it's just as bad on Twitter. I'm active in Community Notes and the inbox is like 1/3rd far-right conspiracies, 1/3rd other politics, and 1/3rd of zkSync scam alerts - never figured out what zkSync is or if that itself is some scam, it wouldn't surprise me.

    Some of these are even able to fake the target URL - the Tweet Card shows them going to "starknet [.] io", but hover over the link and it will actually point to "reward - zksync [.] club". I wonder what the fuck is going on at Twitter that they're unable to spot and hammer down on this.