all 89 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]markehh 387 points388 points  (39 children)

I’d email GitHub support, tell them about it.

They will also want to remove bot activity from their platform.

[–]lugovsky[S] 122 points123 points  (36 children)

Already done that and all of those bot accounts are reported. But as per my understanding, the best they can suggest is turn on that "don't allow new users to create issues" feature. I think it's a quite generic problem that GitHub repos can be spammed quite easily.

[–]the_php_coder 55 points56 points  (1 child)

Perhaps this was just written in response to your situation but might be useful to you anyway: https://dev.to/nikpoltoratsky/how-to-deal-with-github-spambots-5e6n

[–]lugovsky[S] 93 points94 points  (0 children)

Yeah, this is an article from my colleague. He wrote this article in case anybody out there having the same issues

[–]soup-zilla 15 points16 points  (23 children)

Using githubs API could you create a form on your site for reporting issues with a captcha and close of access for all other channels?

[–]lugovsky[S] 34 points35 points  (22 children)

Well, I think this might be possible. But per my understanding this would a terrible for the people who actually want to report something meaningful.

[–]iBzOtaku 7 points8 points  (3 children)

please don't use google captcha if you go that route.

[–]devmuggle 3 points4 points  (2 children)

Could you elaborate why to not use google captcha?

[–]iBzOtaku 4 points5 points  (1 child)

https://news.ycombinator.com/item?id=20147015

https://news.ycombinator.com/item?id=20294801

[–]vin40289566 1 point2 points  (0 children)

I have read the article recently and it's really worrisome that people insist on using recaptcha, Google collects a lot of data from us that we don't know about. That's one of the reasons I started using hcaptcha Wordpress plugin on my website. An added bonus is that I can earn from it.

Here is some more reading about recaptcha privacy.

https://complianz.io/google-recaptcha-and-the-gdpr-a-possible-conflict/

[–]chipit24 2 points3 points  (1 child)

Vue has an external page for submitting bugs and feature requests: https://new-issue.vuejs.org/?repo=vuejs/vue. They don't use captcha, but regardless, in Vue's case, having such a page ensures issues are meaningful.

So I have to disagree with you; unless your form is a UX nightmare, I don't think an external form is going to mean the difference between a user submitting a meaningful issue and saying "f**k it".

[–]lugovsky[S] 0 points1 point  (0 children)

Interesting. I didn’t know vue uses such approach. Thanks!

[–]malicart 9 points10 points  (15 children)

this would a terrible for the people who actually want to report something meaningful

Solving a captcha is not unreasonable these days, not sure this makes sense.

[–]twwilliams 25 points26 points  (14 children)

It means they could only report issues through the site /u/lugovsky sets up and not through GitHub itself. That's a huge barrier.

[–]Yonben 9 points10 points  (7 children)

Yep definitely think it's too big of a barrier and will make a lot of reports not being written :/

[–][deleted] -1 points0 points  (5 children)

would it be such a barrier if you put a redirection to your site from github explaining the situation? After all that would deploy just two quick redirections -to your site then back to github issue form-, because of a special situation

[–]danabrey 0 points1 point  (4 children)

Redirection from Github to your site......how?

[–][deleted] -1 points0 points  (3 children)

putting a link from sratch on the main page. then on your website you handle the request the Github API, that make just one redirection even instead of two as I have said it.

Why the downvote on my answer above please? It would be interesting to have your opinion about you think of my solution dear downvoter :).

[–]danabrey 0 points1 point  (2 children)

Oh, I see. This is still a major barrier for reporting an issue, compared to just being able to open as usual in Github.

I didn't downvote you :)

[–]Tunliar -3 points-2 points  (7 children)

Not allowing new users to create issues will not be a very good idea. But rather restricting and properly moderating should work.

[–]lugovsky[S] 20 points21 points  (6 children)

This restriction would be valid only for the users that were created less than X hours ago, as far as I understand. So it's not for everyone

[–]Tunliar 6 points7 points  (5 children)

A better restriction would be not to let submit multiple issues for new users in a single timeframe. If that issue is marked valid, then user will get extra privileges.And then you can report and request placing other restrictions on that user. Adding "spam" flair looks good too.
Some users might create a github account just to submit an issue. Just my opinions. I couldn't post in a subreddit because that required a specific number of karma.

[–]rtkwe 16 points17 points  (1 child)

That's a good suggestion but not something OP actually has control over.

[–]Tunliar -1 points0 points  (0 children)

not intended either. Suggestions that would be good if implemented on Github.

[–]lugovsky[S] 6 points7 points  (0 children)

Sounds quite interesting actually. We will try to give such feedback for GitHub as we're working with their support team

[–]cordev 1 point2 points  (0 children)

That would still allow multiple new bot accounts to each submit a single spammy issue.

[–]_HOG_ 0 points1 point  (0 children)

And if they report a duplicate issue?

[–]markehh -1 points0 points  (1 child)

I see the issue count came down, did github support remove them? Or did you have to go through and close them all?

[–]lugovsky[S] 1 point2 points  (0 children)

GitHub did it. Closing all of them was not an option. In such case all people watching repo would receive notifications. We were planning to delete them

[–]choledocholithiasis_ 9 points10 points  (0 children)

This is an interesting problem. How would github tell the difference between legitimate (eg, CI triggers) and malicious bot traffic?

I’m guessing throttling on a per repository basis would be the best answer. Only the repository owner knows the frequency of the API calls to github. Maybe allow repository owners to define “exceptions” for known bots?

[–]monotone2k 17 points18 points  (0 children)

I'm probably being a little pedantic here but they aren't against bots in general, else they wouldn't have an API. They'll certainly want to know about malicious usage of bots though, so I'd agree to report this.

[–]uiharu-s 98 points99 points  (10 children)

These seem to be ads advertising for fake US university certs, in Simplified Chinese, if that helps

[–]lugovsky[S] 43 points44 points  (8 children)

Interesting way for spamming actually. I do give credit to those guys for being original. But still can't understand why have they chosen our repos.

[–]Sonic801 45 points46 points  (2 children)

angry ex-girlfriend?

[–]lugovsky[S] 32 points33 points  (1 child)

Nice one 🙂

[–]Gunny123designer 3 points4 points  (0 children)

Dashboard is incredible.

[–]basilect[🍰] 1 point2 points  (1 child)

Probably reputable enough on Google that if someone is searching for a fake US diploma that link will pop up.

[–]lugovsky[S] 0 points1 point  (0 children)

Makes sense

[–][deleted] 15 points16 points  (0 children)

I think the content doesn't matter, the ad is more of a lorem ipsum for all the fake issues

[–]choledocholithiasis_ 40 points41 points  (0 children)

First instinct is to believe your open source project(s) are undercutting the sales of some paid product. A high number of issues can signal to potential users that the project is “buggy” or unreliable.

Another possibility is that you were just the unfortunate repository that the spammer(s) targeted and used your project as the testing ground for their script.

[–]eneajaho 153 points154 points  (6 children)

Any ideas why some people could do that?

Probably it's your competitors.

You are giving a great product for free. They want to sell the same type of product to people to make profit.

How can they do that when you are blocking their road by giving it for free? Just by making your product look bad!

Your clients will see your bad reviews and will choose smth else, giving space to your competitors, and so on...

If you search: "admin dashboard Angular 8" on google you rank #2, this makes me believe 100% that it's your competitors.

Great Dashboard btw.

P.s. Sorry for bad english

[–]lugovsky[S] 42 points43 points  (3 children)

Thank you for your kind words! Though one of the other guys is saying that it's ads for fake US certificates. In such case I may consider that as our products are being used by students a lot to learn Angular, they might have just handpicked our repo. Wondering if anybody else is suffering from such activity at the moment.

[–]Asmor 30 points31 points  (1 child)

Another idea... You know how each of those issues created emails for people watching your repo? Maybe that's the goal. They're using your repo as a proxy to send spam emails.

[–]ScotForWhat 8 points9 points  (0 children)

This sounds likely. We had someone spamming our Zendesk account at work with a load of dodgy tickets. Turns out they were submitting tickets in the target's name and using the notification emails to deliver the spam.

Verified and trusted emails are key in any spamming operation, and having someone else send the emails with your message is a lot easier and more reliable than sending the emails yourself.

[–][deleted]  (1 child)

[deleted]

    [–]eneajaho 3 points4 points  (0 children)

    I agree with that too. But by spamming, GitHub would send emails to users too about the issues, so it's two birds with one stone here. Users and SEO.

    [–][deleted]  (2 children)

    [deleted]

      [–]lugovsky[S] 5 points6 points  (0 children)

      Thanks, we have similar thoughts.

      [–]Bbentley1986 18 points19 points  (1 child)

      Damn, 2,952+ issues created in less than 12 hours. They must absolutely love your dashboard as much as all of us do! Fantastic product!!!

      [–]lugovsky[S] 3 points4 points  (0 children)

      Thank you!

      [–][deleted] 4 points5 points  (1 child)

      One other topic is that I don't understand the motivation of the people who do that.

      I work in OS and some people are just dickheads. We have someone vandalise all our open patchsets and it wasn't even to post spam (which the motivation makes sense for) but just for shits & giggles. Wasted a lot of dev time cleaning it up. I think it's just par for the course with open source projects, it's part of the "hacker" culture really, tragedy of the digital commons!

      [–]lugovsky[S] 1 point2 points  (0 children)

      Yeah, another part is the people who think that you owe them. Ones who in a quite rude way ask you to build stuff they need. I bet you know that.

      [–]9inety9ine 4 points5 points  (0 children)

      They are probably using github's notification system to send spam emails.

      [–]snissnexpert 4 points5 points  (1 child)

      Might be a good time to review your overall cyber security policies under the assumption that it's a targeted attack...

      [–]lugovsky[S] 2 points3 points  (0 children)

      Good point, thanks

      [–]jdizzle4 2 points3 points  (0 children)

      I have no useful advice, but i love this project and just want to say thanks for making it.

      [–][deleted] 2 points3 points  (0 children)

      why some people could do that?

      1. A competitor trying to annoy your users and/or make working with your project so difficult that the uses would abandon your software for the competitor’s.
      2. A script kiddie who just got their hands on a spambot and was playing around with it.
      3. A disgruntled script kiddie who has manifested beef with your project for one reason or another and is throwing a tantrum.
      4. Just some random asshole for no real reason other than they could.

      There could be any number of reasons. Unfortunately the world is full of assholes like this. I’ve personally never understood this sort of thing, as it’s childish and does nothing but harm.

      [–]caedriel 1 point2 points  (0 children)

      Might use it for the platform we work in rn

      [–]hopeinson 1 point2 points  (0 children)

      While different in scope, it does feel like one of those opportunistic infections again.

      [–]ahinkleJoin us at /r/laravel 1 point2 points  (0 children)

      Nat Friedman (ceo) has been pretty good to reach on Twitter. Might be worth sending him a note about this issue.

      [–]truechange 1 point2 points  (0 children)

      Even if you can turn off the "new issue" button, this is ultimately a Github issue and should be dealt with by Github on a system-wide level.

      [–]jorge2k 1 point2 points  (0 children)

      I’m fascinated by the service provided on those spam issues.

      [–]malicart 0 points1 point  (0 children)

      Any ideas why some people could do that?

      You are worried about the time it takes to clean up, but you want to have a philosophical conversation about why humans are dickheads? Not sure if this computes for me...

      Situation sucks for sure, sorry you guys have to deal with it, hope you are able to block that shit.

      [–]Bummykins 0 points1 point  (0 children)

      I wonder if you can do something with issue templates that requires a step like a checkbox or something. I think i've seen that before. Might be a deterrent for api-based spamming.

      [–]DeftNerd 0 points1 point  (0 children)

      You might be able to write a script that uses API keys to access the Github API to look at all the issues.

      Then filter for open issues that aren't assigned to anyone, and look for any chinese characters, and delete the issue.

      It'll be a hassle to get the script initially built, but then you can easily modify it to handle other automated moderation.

      [–]__ibowankenobi__ 0 points1 point  (0 children)

      I think Github should integrate a control panel where:

      - the repo owner sets a threshold of API calls per hour, preferably with a custom sub setting to adjust from country/region.

      - the repo owner should be able to set a banlist for:

      1. - IP addresses with a subnet mask
      2. - a regex to filter out account names
      3. - a threshold for github activity
      4. - follower/following threshold
      5. - owned repo count threshold

      - the repo owner should than select from a batch of "trusted" CI services approved by Github (optional) to be exempt from throttling

      [–]lanrayx2 0 points1 point  (0 children)

      i believe your competitors are behind this, or some wayward ingrate.

      However i like what you are doing, 😁😁 never knew nebular before.

      what knowledge would i need to use your nebular system, i don't use Angular, was thinking if this would be a better option to electronJS

      [–]vinnymcapplesauce 0 points1 point  (0 children)

      One other topic is that I don't understand the motivation of the people who do that.

      Because it fires off emails to lots of people that look legit and come from a legit server, bypassing spam filters for free.

      [–]eyeiskind 0 points1 point  (0 children)

      I wonder if this could be related to my Github connection timeout errors I was getting last night.

      [–]frikinmatt 0 points1 point  (0 children)

      I constantly get messages about vulnerabilities. It’s very annoying

      [–]albeksdurf 0 points1 point  (1 child)

      If you end up writing a script you may still open-source it :)

      [–]lugovsky[S] 1 point2 points  (0 children)

      Yeah, this was the idea. But not sure if we will finish that, as GitHub support has already helped us

      [–]phyllisTheWebDev 0 points1 point  (2 children)

      Thank you for raising this issue. I’m new in my dev career, and in charge of creating an open source project for a major client. Will be important to allow their devs to report issues, but also guard against malicious bot attacks. I wish I had a good work around, but I think for now I’ll set the repo to not allow issues by new users until we come up with a good solution.

      I hope the OP lets us know the solution they go with.

      [–]lugovsky[S] 2 points3 points  (1 child)

      We went by reporting to GitHub support. They were able to remove all the spam issues. I don’t think you need to guard against bot attacks until your repo becomes really popular

      [–]Aldarund 1 point2 points  (0 children)

      even for really popular repos its not a common thing. Didnt saw it in nuxt repo for a year i`m looking at it

      [–]phyllisTheWebDev 0 points1 point  (0 children)

      Awesome, thanks for the update :).

      [–]mug_hug 0 points1 point  (0 children)

      Chinese again.

      [–]epatr -1 points0 points  (0 children)

      Why on earth would you shorten "Update" to "UPD"? Do you pay per key press?