Tell HN: YC companies scrape GitHub activity, send spam emails to users

Hacker News Discussion ↗

Reported behavior

  • Multiple commenters report unsolicited emails from startups (often YC-funded) that:
    • Scrape GitHub for emails from commit metadata, stars, or profile info.
    • Infer interests from repos or stars (“saw you starred X / work on Y”) and pitch related products, AI SDKs, agents, etc.
    • Sometimes use alternate/parked domains solely for outbound spam to avoid damaging the reputation of the main domain.
  • Similar scraping is reported from HN profiles, “Show HN” posts, and YC’s own job platform.

User impact & reactions

  • Many see this as creepy, unethical, and brand-damaging; several now auto-trash anything that mentions being YC-funded.
  • Some are merely annoyed given the general spam deluge, but note YC-linked spammers are more identifiable and thus more accountable.
  • A few say highly targeted, genuinely personalized outreach based on real engagement could be welcome, but most experiences described are obviously automated, low-effort blasts.
  • Several commenters explicitly vow never to use products from companies that contact them this way.

YC, ethics, and “growth hacking”

  • YC’s published ethics guidelines explicitly say “not spamming members of the community,” but people question:
    • Whether GitHub users count as “the community.”
    • Whether YC meaningfully enforces this, given a culture that valorizes “hacking systems” and rule-bending.
  • Some connect this behavior to a broader YC/startup ethos of growth at any cost and “gray-area” tactics.

Legal and regulatory angles

  • Under GDPR and various EU laws, unsolicited commercial email without consent is described as clearly illegal; some mention filing complaints.
  • In the US, CAN-SPAM is noted as weak, with enforcement usually limited to Attorneys General; individuals have little recourse.
  • Class-action or contingency-style enforcement is discussed but seen as hard due to low damages and limited private rights of action.

GitHub mechanics & mitigation

  • A GitHub representative confirms:
    • Scraping for spam violates GitHub’s Terms of Service; accounts can be warned, deactivated, or banned.
    • Enforcement is “whack-a-mole,” especially when spam is sent off-platform with throwaway domains.
    • Git inherently embeds name and email in commits; altering them retroactively would break commit hashes and histories.
    • GitHub offers noreply email addresses and settings to reject pushes using private emails; many users don’t configure these.
  • Some users report successful enforcement when reporting abuse; others say their reports were ignored or ineffective.

User defenses and workarounds

  • Common strategies:
    • Use GitHub noreply addresses or git-only emails routed to /dev/null.
    • Use aliases or catch-all domains (e.g., service-specific addresses) to identify scrapers and auto-filter.
    • Rely on spam filters, ESP abuse reports, or moving emails to “Promotions” tabs instead of manual deletion.
  • Several note that once a real email has leaked into commits or lists (e.g., kernel mailing list), spam becomes essentially permanent.