Receiving phishing emails to my attached contact email #14802
Comments
|
Wait... I've also gotten emails from the umm.de domain. Is it possible that somebody is emailing everyone who has a domain here? |
|
same here
|
|
I got the exact same mail from a charity of Germany telling me that i received a private donation. |
|
That email got into my second gmail account, and i didn't introduce this mail to is-a.dev |
Might be, they probably scrapped the whole data and collected all the emails from the json files and then they are sending phishing emails to the collected emails. The best way to fix this issue for future is #13721 |
|
Would it be worth dropping emails in the owner key entirely and just relying on the commit history? |
I think it would be best if the contact info and other info gets collected via discord or google forms or some other platform so that the admins will have access to the info and public wont. |
|
Also change the issue's labels if possible |
orangci
added
report-abuse
|
The spams are getting more and more day by day |
Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON. |
|
@phenax Could we use an external DB of some sorts? |
|
Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me. But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions. We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps. @is-a-dev/maintainers, what do you all think? |
If that is the case that means they are fetching emails from github instead of scraping and storing them |
Probably they are. |
Damage has already been done sadly but yes, I do think we should:
|
I agree |
That means we can stop them if we remove the email field |
I definitely agree |
I created https://data.is-a.dev a few months to a year ago basically to prove how is-a.dev is literally just a data farm for scammers.
Yeah that would work, however what would we do with existing domains, just only have GitHub usernames? Also this brings up another issue, what do we do with domains where the original author's account has been deleted, and what do we do with username changes, because we can't exactly rely on people to immediately update their info.
Yeah not much we can do about that, however removing them all from the main repo would help. |
Why don't you guys make the data.is-a.dev private and collect info and keep it in there for admins |
|
@0v90 's suggestion which fell into my DMs |
|
Yep me got the email in the second screenshot |
Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons. |
Yea this idea is good but it would take a little time to code it and stuff |
Yes, it can be hard to code, but it's for yall's security |
|
I have received the same |
Any update on when you all will make a discord bot and fix this issue |
|
some of our users does not use Discord, I'm afraid. |
Im actually making a similar system for open-domains. Im thinking we should also include the github user id in the encrypted data then ReviewMate should be able to decypt it and verify that the user hasn't copied and pasted someone else's if that makes sense |
|
https://github.com/is-a-dev/owl - We now have a beta version running at https://owl.is-a.dev you select an email from your github account and it will give you a unique ID. There is no DB and ID given to you is your email and github username/id encrypted |
This looks cool but can we have an option to edit the email address as many people do not like giving their main email address and instead give their alt email address. |
|
You all can add other fields like another email address field (just incase the main one doesn't work), discord id, twitter, and other stuff |
If you have other email addresses on your GitHub account they will show up there. |
👍 |
17sdheeraj
changed the title
|
@phenax @andrewstech We need a solution for this ASAP. I'm personally receiving multiple phishing/scam emails per day. |
Same |
|
I think the owner object should get phased out for the ID as a string. "owner": {
"ID":"<owl ID>"
}and have the old fields still applicable. |
|
Would be better as a string instead of a key, however for backwards compatibility it might be better as a key and just added as a new field. |
|
I have removed all my domains which have my email on it on Jun 11 and never received a spam email~ |
|
https://en.wikipedia.org/wiki/Memorial_University_of_Newfoundland mun.ca belongs to this org, mostly this is stolen emails or so |
|
I investigated the domains that this emails come from. most likely those are universities stolen emails or students from those institutes? |
They are most likely fetching the most recent commit on the repo.
I would believe it's weak email security from the university with a combination of weak passwords from the students causing emails to get hacked. |
should we email those institutes and see what they can do with it? |
Yeah |
|
I believe I've found the cause of the issue, I think the scammers have been using the Raw API to fetch the emails. I have redacted all emails from the Raw API. Let's see if this makes any difference in the amount of scam emails. If it seems to be solved I'll most likely close this issue. |
The owl project is deployed Im just waiting on you again :( |
👍 |
|
This issue has been marked as stale due to inactivity and will be closed. Comment anything on this issue to prevent it |
|
OWL is now fully deployed and integrated into the discord bot or is available at https://owl.is-a.dev/. There is 24 records currently using owl docs will be posted soon |
Hello!
I have seen that since a few days I have been receiving phishing emails to the email I added to my file (contact-sdheeraj-isadev@domain.com). I have made this to ask if anyone else has been receiving these type of emails.
Some screenshots of the emails:
And more were there which got rejected and were not delivered to me
My subdomain
https://sdheeraj.is-a.dev
The text was updated successfully, but these errors were encountered: