Receiving phishing emails to my attached contact email
17sdheeraj opened this issue · comments
Hello!
I have seen that since a few days I have been receiving phishing emails to the email I added to my file (contact-sdheeraj-isadev@domain.com). I have made this to ask if anyone else has been receiving these type of emails.
Some screenshots of the emails:
And more were there which got rejected and were not delivered to me
My subdomain
Wait... I've also gotten emails from the umm.de domain. Is it possible that somebody is emailing everyone who has a domain here?
same here
I got the exact same mail from a charity of Germany telling me that i received a private donation.
That email got into my second gmail account, and i didn't introduce this mail to is-a.dev
Wait... I've also gotten emails from the umm.de domain. Is it possible that somebody is emailing everyone who has a domain here?
Might be, they probably scrapped the whole data and collected all the emails from the json files and then they are sending phishing emails to the collected emails.
The best way to fix this issue for future is #13721
Would it be worth dropping emails in the owner key entirely and just relying on the commit history?
Would it be worth dropping emails in the owner key entirely and just relying on the commit history?
I think it would be best if the contact info and other info gets collected via discord or google forms or some other platform so that the admins will have access to the info and public wont.
Also it would be best if you all send a mail to the peoples emails in the json files informing them to ignore/block the spam mails they have been receiving.
Also change the issue's labels if possible
The spams are getting more and more day by day
The spams are getting more and more day by day
Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.
@phenax Could we use an external DB of some sorts?
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
@is-a-dev/maintainers, what do you all think?
The spams are getting more and more day by day
Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.
If that is the case that means they are fetching emails from github instead of scraping and storing them
The spams are getting more and more day by day
Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.
If that is the case that means they are fetching emails from github instead of scraping and storing them
Probably they are.
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
@is-a-dev/maintainers, what do you all think?
Damage has already been done sadly but yes, I do think we should:
- Remove the email field.
- Switch over to Discord ID contact.
- Hope for the best from the changes.
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
@is-a-dev/maintainers, what do you all think?Damage has already been done sadly but yes, I do think we should:
- Remove the email field.
- Switch over to Discord ID contact.
- Hope for the best from the changes.
I agree
The spams are getting more and more day by day
Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.
If that is the case that means they are fetching emails from github instead of scraping and storing them
Probably they are.
That means we can stop them if we remove the email field
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
@is-a-dev/maintainers, what do you all think?
Damage has already been done sadly but yes, I do think we should:
- Remove the email field.
- Switch over to Discord ID contact.
- Hope for the best from the changes.
I definitely agree
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
I created https://data.is-a.dev a few months to a year ago basically to prove how is-a.dev is literally just a data farm for scammers.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
Yeah that would work, however what would we do with existing domains, just only have GitHub usernames? Also this brings up another issue, what do we do with domains where the original author's account has been deleted, and what do we do with username changes, because we can't exactly rely on people to immediately update their info.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
Yeah not much we can do about that, however removing them all from the main repo would help.
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.
I created https://data.is-a.dev a few months to a year ago basically to prove how is-a.dev is literally just a data farm for scammers.
But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.
Yeah that would work, however what would we do with existing domains, just only have GitHub usernames? Also this brings up another issue, what do we do with domains where the original author's account has been deleted, and what do we do with username changes, because we can't exactly rely on people to immediately update their info.
We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.
Yeah not much we can do about that, however removing them all from the main repo would help.
Why don't you guys make the data.is-a.dev private and collect info and keep it in there for admins
@0v90 's suggestion which fell into my DMs
Yep me got the email in the second screenshot
@0v90 's suggestion which fell into my DMs
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.
@0v90 's suggestion which fell into my DMs
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.
Yea this idea is good but it would take a little time to code it and stuff
@0v90 's suggestion which fell into my DMs
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.
Yea this idea is good but it would take a little time to code it and stuff
Yes, it can be hard to code, but it's for yall's security
Yes, it can be hard to code, but it's for yall's security
Yes
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.
I think this introduces a weird bit of complexity that's better avoided. Although if we all agree that having users' email address is worth that complexity then we can go with this.
however what would we do with existing domains, just only have GitHub usernames?
We can send people an email letting them know that we're removing email addresses and to update their contacts. If they do that or don't is up to them.
But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.
On a side note, what if we screw with people scraping this information a bit? Change the emails to point to nothing, making them unusable but still giving them a false sense that this is reaching someone.
- Remove the email field.
- Switch over to Discord ID contact.
- Hope for the best from the changes.
I generally think any direct showen revealed "social contact" that directy links to any person is any good for their privacy , rather to be encrypted and maybe even given a unique ID for the user themselves , so none of their info is exposed publicly
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.
I think this introduces a weird bit of complexity that's better avoided. Although if we all agree that having users' email address is worth that complexity then we can go with this.
however what would we do with existing domains, just only have GitHub usernames?
We can send people an email letting them know that we're removing email addresses and to update their contacts. If they do that or don't is up to them.
But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.
On a side note, what if we screw with people scraping this information a bit? Change the emails to point to nothing, making them unusable but still giving them a false sense that this is reaching someone.
For now the most important thing is focusing on the secuirty/privacy part of the current users , and messing up with those who ever is behind the phising attacks may come later after dealing with point 1 most importantly!
suggestion
It was never said to be easy , it will indeed be complex , getting the data encrypting them , giving them a unique ID and so on , that actually can be the easy part , the hard one is storing them in data base and actually working with the data base its self , which for sure will be a big of a hustle specially with hundered of thousands of users or ever more! , but is it worth it , that's really up to you to evalute it the way you want , but IMO it may be one of the ways to secure the user info , and make no info regards to them publicly exposed to anyone , rather just the devs of the project.
This is just one idea , there is definitely more ideas and even more better ones.
It was never said to be easy , it will indeed be complex , getting the data encrypting them , giving them a unique ID and so on , that actually can be the easy part , the hard one is storing them in data base and actually working with the data base its self , which for sure will be a big of a hustle specially with hundered of thousands of users or ever more! , but is it worth it , that's really up to you to evalute it the way you want , but IMO it may be one of the ways to secure the user info , and make no info regards to them publicly exposed to anyone , rather just the devs of the project.
This is just one idea , there is definitely more ideas and even more better ones.
Yes, It would be good if there was a poll or something based upon this so people add their ideas and people vote the best one.
I generally think any direct showen revealed "social contact" that directy links to any person is any good for their privacy , rather to be encrypted and maybe even given a unique ID for the user themselves , so none of their info is exposed publicly
Why I understand where you're getting at with this (less user information publicly) I believe as a temporary and easy solution is to lock it down to a platform which can limit any form of direct spam.
An email is an email, anyone who get's their hands on someone's email can send mail to it, or sign it up for newsletters, and nothing is stopping these sites or scammers from sending it. Nobody sends newsletters through Discord. The worst thing in my opinion is either a tiny increase in friend requests or message requests. That's it.
We can think of long term solutions here, but as a quick fix, just limit it to a Discord ID. Every staff member here has Discord from what I'm aware of. Yeah that's my two cents.
We can think of long term solutions here, but as a quick fix, just limit it to a Discord ID. Every staff member here has Discord from what I'm aware of. Yeah that's my two cents.
I can still write a " friend request " spam bots to all these ID's, but yes the spam messages would be none to few if the person accept few of these friend requests and message dms, but still , another idea but not completely secure/private for the user info. The idea is indeed limiting a lot more limiting than emails , but how limiting it's overall and actually how affective will it be that my self I don't know either, I guess we would have to wait and see if the idea to be considered.
But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.
Maybe @github-staff could somehow purge all forks and rebase the entire repo? It would be a bit complicated but it would do most of the work for us.
I can still write a " friend request " spam bots to all these ID's, but yes the spam messages would be none to few if the person accept few of these friend requests and message dms, but still , another idea but not completely secure/private for the user info. The idea is indeed limiting a lot more limiting than emails , but how limiting it's overall and actually how affective will it be that my self I don't know either, I guess we would have to wait and see if the idea to be considered.
A unique key would be best in this situation, then users can just link their Discord accounts and such through a web portal or something.
Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.
The owner key could be updated from an object to just a string value like this:
{
"owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.
Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.
The owner key could be updated from an object to just a string value like this:
{ "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6" }We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.
This is the best idea so far according to me
Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.
The owner key could be updated from an object to just a string value like this:
{ "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6" }We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.
how about the people that prefers the old write-your-own-JSON based registration method? you ask them to pretend to be a bot and write a "string value" from scratch?
Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.
The owner key could be updated from an object to just a string value like this:{ "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6" }We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.
how about the people that prefers the old write-your-own-JSON based registration method? you ask them to pretend to be a bot and write a "string value" from scratch?
For that I think they can make a discord bot which generates a id for the people so they can use it in their json
For that I think they can make a discord bot which generates a id for the people so they can use it in their json
That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?
For that I think they can make a discord bot which generates a id for the people so they can use it in their json
That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?
Yes, or the user gives their details to the bot and the bot stores them and gives the user an unique user id which can be used in json. The data will be sent to a database like data.is-cool.dev which will be only accessible by admins
Yeah that was my idea.
Yeah that was my idea.
Then you all can implement the idea
I have received the same
For that I think they can make a discord bot which generates a id for the people so they can use it in their json
That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?
Yes, or the user gives their details to the bot and the bot stores them and gives the user an unique user id which can be used in json. The data will be sent to a database like data.is-cool.dev which will be only accessible by admins
Any update on when you all will make a discord bot and fix this issue
some of our users does not use Discord, I'm afraid.
Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.
The owner key could be updated from an object to just a string value like this:
{ "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6" }We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.
Im actually making a similar system for open-domains. Im thinking we should also include the github user id in the encrypted data then ReviewMate should be able to decypt it and verify that the user hasn't copied and pasted someone else's if that makes sense
https://github.com/is-a-dev/owl - We now have a beta version running at https://owl.is-a.dev
you select an email from your github account and it will give you a unique ID. There is no DB and ID given to you is your email and github username/id encrypted
https://github.com/is-a-dev/owl - We now have a beta version running at https://owl.is-a.dev
you select an email from your github account and it will give you a unique ID. There is no DB and ID given to you is your email and github username/id encrypted
This looks cool but can we have an option to edit the email address as many people do not like giving their main email address and instead give their alt email address.
You all can add other fields like another email address field (just incase the main one doesn't work), discord id, twitter, and other stuff
This looks cool but can we have an option to edit the email address as many people do not like giving their main email address and instead give their alt email address.
If you have other email addresses on your GitHub account they will show up there.
This looks cool but can we have an option to edit the email address as many people do not like giving their main email address and instead give their alt email address.
If you have other email addresses on your GitHub account they will show up there.
👍
@phenax @andrewstech We need a solution for this ASAP. I'm personally receiving multiple phishing/scam emails per day.
I'm personally receiving multiple phishing/scam emails per day.
Same
I think the owner object should get phased out for the ID as a string.
Or maybe
"owner": {
"ID":"<owl ID>"
}and have the old fields still applicable.
Would be better as a string instead of a key, however for backwards compatibility it might be better as a key and just added as a new field.
I have removed all my domains which have my email on it on Jun 11 and never received a spam email~
https://en.wikipedia.org/wiki/Memorial_University_of_Newfoundland mun.ca belongs to this org, mostly this is stolen emails or so
I investigated the domains that this emails come from. most likely those are universities stolen emails or students from those institutes?
I have removed all my domains which have my email on it on Jun 11 and never received a spam email~
They are most likely fetching the most recent commit on the repo.
I investigated the domains that this emails come from. most likely those are universities stolen emails or students from those institutes?
I would believe it's weak email security from the university with a combination of weak passwords from the students causing emails to get hacked.
I would believe it's weak email security from the university with a combination of weak passwords from the students causing emails to get hacked.
should we email those institutes and see what they can do with it?
I would believe it's weak email security from the university with a combination of weak passwords from the students causing emails to get hacked.
should we email those institutes and see what they can do with it?
Yeah
I believe I've found the cause of the issue, I think the scammers have been using the Raw API to fetch the emails. I have redacted all emails from the Raw API.
Let's see if this makes any difference in the amount of scam emails. If it seems to be solved I'll most likely close this issue.
the
The owl project is deployed Im just waiting on you again :(
I believe I've found the cause of the issue, I think the scammers have been using the Raw API to fetch the emails. I have redacted all emails from the Raw API.
Let's see if this makes any difference in the amount of scam emails. If it seems to be solved I'll most likely close this issue.
👍
This issue has been marked as stale due to inactivity and will be closed. Comment anything on this issue to prevent it
OWL is now fully deployed and integrated into the discord bot or is available at https://owl.is-a.dev/. There is 24 records currently using owl docs will be posted soon