This isn't my experience. I requested that you looked into a spammer in July 2025, you ignored my reply and the account is still active.
----
Thank you so much for the report. We're sorry to hear you're receiving unwanted emails, but it's always a possibility when your public contact information is listed on the web. You can keep your email address private if you wish by following the steps here:
Setting your commit email address
We do expect our users to comply with our Terms of Service, which prohibits transmitting using information from the GitHub (whether scraped, collected through our API, or obtained otherwise) for spamming purposes. I'm happy to look into it further to see if we can contact the reported user and let them know that this type of activity is not allowed.
Please let us know if you have any other questions or concerns.
----
My reply which was ignored:
----
I understand it will happen from time to time. I'd rather be contactable (I've received legitimate emails today because my email is on my profile).
Please take further action. My email is public with the expectation that the ToS will be enforced. If GitHub isn't discouraging spammers then it makes it much harder to justify being contactable.
All the best, David
Please keep reporting spammers, usually it works.
I've had decent success with on-GitHub action (I'd wager ~80% action taken), but the effort to report email spammers doesn't seem worthwhile.
And yes of course they can also stop a specific spammer. But that spammer may pick up another account and email.
I even wrote about a specific example of a YC company spamming me from my GitHub email at https://benword.com/dont-tolerate-unsolicited-spam
Or do you mean going after the accounts of companies that make use of a likely scraped email address? That's not a bad idea either, but it has risks and isn't the same thing.
> I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out. > > Profile: https://github.com/tedivm
They aren't doing anything to hide it.
> we can (and do) take action against those accounts including banning the accounts
It's one thing to offer anonymous e-mail addresses, but it's also awesome that GitHub can help prevent mistakes that would otherwise leak a user's e-mail address. I am not sure how many people try to be privacy conscious on GitHub, but I assume most users don't, so it's nice seeing this little feature exist.
And not all devs want or need anonymity on github.
In general just because information is publicly accessible in some form doesn't make it okay or legal to abuse it (accessible doesn't mean any form of usage rights are transferred to you weather it's in context of GDPR or in context of copy right).
I think it's pretty clear you need to use an anonymization scheme in the way commits are handled so that it links back to your github account and the email addresses are kept private.
Privacy centric companies like Apple do this for users offering hashed emails, on a per login basis.
I'm sure this would not work in a world of scraping, but having that kind of ability to figure out bad actors would be nice. You could require authenticated users for certain kinds of requests, and block user information from non-authenticated requests.
62114487+david-allison@users.noreply.github.com
[0] https://docs.github.com/en/account-and-profile/reference/ema...
* This is an optional feature via git config, with a further GitHub setting to reject commits pushed using your personal email address.
* If the GitHub setting is disabled, some GitHub-generated commits/fixups use your personal email (e.g. squash merge in the GitHub UI).
* I use my personal email in file-level copyright headers, even if the commits use the GitHub noreply email.
* I have my personal email on my GitHub profile, visible to logged in users.
How do I report that person, though? Your support page about reporting abuse assumes I know the person's Github account: https://docs.github.com/en/communities/maintaining-your-safe...
I did a quick scan of the ToS and all I could find was D8 that states that autmated access (scraping) used for "AI" applies a reciprocal license that prevents the scraper from restricting GitHub's access to the data (the whole model? the weights?) resulting from the scraping.
This makes it sound like any model trained on GitHhub content cannot be commercialized, because charging for access to the output would be a "technical or other limit"... So you're obviously not really enforcing this, otherwise MS would be suing every big commercial model out there!
If someone wants to message someone, it goes through github notifications or github emails them
Also banning an account doesnt seem like a heavy punishment, given they can simply move to gitlab, bitbucket etc
You can mask your email address in git commits but a lot of open source projects won't accept that. And some pseudo-open-source ones insist on sending you an email to authenticate before they'll give you access to the GitHub repo (looking at you Unreal Engine!)
So, no, I don't think they could simply "not show the email address".
To his point, you can set that to the no-reply email address GitHub gives you if you don't want mail but do want the commit to be linked to your GitHub account.
[0]: https://git-scm.com/docs/git-commit#_commit_information
[1] In practice, it's a bit more complicated. Merkle trees are involved, so it's hashes of hashes of hashes instead of hashing a multi-gigabyte blob on each commit, but that's a performance optimization that doesn't affect semantics much.
There's never been an obligation to use a real email address for git
"What you are doing is against Github's TOS"
Usually starts with contacting them over email reminding them of the terms of service and warning them to stop. Then their account might get deactivated and they need to write and promise to not be naughty again. If they ignore that then the account gets removed.
There are a bunch of automated checks that are running all the time as well and will take automated action that then gets later reviewed by humans. At lot of times the process is fast-tracked.
The off-platform 'let's scrape a bunch of data and then spam nice people' is the hardest to police. Linking those mails to an offending GitHub account is hard and very manual, also anyone can send emails saying they are someone they are not and because of that anyone can deny they sent the mail and they'll usually blame a rogue agency they where working with etc.
I probably shouldn't say it, but the public shame that comes from being mentioned on social, in hacker news etc. That stops people who want to be treated as legitimate from doing that sort of thing and helps educate the wider community around what is and isn't acceptable behaviour - that is why it's good to see this thread and see the issue getting attention.
Having said that, there are big corps who have been known to use the CFAA as a way to coerce the long arm of the law upon teenagers and geeks hacking away - not always a great thing either IMO.
This would be a gross miscarriage of justice and bringing successful action under this theory would do widespread harm by expanding the definition of the CFAA.
Just because a company can take some nuclear action, doesn't mean they should.
kettle, pot, black?
I received the following offical spam last week from GitHub:
> Build AI agents with the new GitHub Copilot SDK
despite never granting consent for marketing material
(and yes, there's a GDPR complaint now working its way through the national regulator)
I will pay more for GitHub if you go hard on these mfs.
Mind fixing lucidrains account? Something happened without notice or recourse. He's one of, if not the most well known open source AI researchers on the planet, with implementations and explanations of papers and ideas that are wonderful. If you could bring some sanity to that situation and take it out of whatever kafkaesque account purgatory it fell into, you'd be doing the work of angels.
Thanks!