Receiving phishing emails to my attached contact email

[17sdheeraj]

Hello! I have seen that since a few days I have been receiving phishing emails to the email I added to my file (contact-sdheeraj-isadev@domain.com). I have made this to ask if anyone else has been receiving these type of emails. Some screenshots of the emails: And more were there which got rejected and were not delivered to me

My subdomain

https://sdheeraj.is-a.dev

[CuteDog5695]

Wait... I've also gotten emails from the umm.de domain. Is it possible that somebody is emailing everyone who has a domain here?

[Stef-00012]

same here

[xzonix]

I got the exact same mail from a charity of Germany telling me that i received a private donation.

[xzonix]

That email got into my second gmail account, and i didn't introduce this mail to is-a.dev

[17sdheeraj]

Wait... I've also gotten emails from the umm.de domain. Is it possible that somebody is emailing everyone who has a domain here?

Might be, they probably scrapped the whole data and collected all the emails from the json files and then they are sending phishing emails to the collected emails.

The best way to fix this issue for future is https://github.com/is-a-dev/register/issues/13721

[wdhdev]

Would it be worth dropping emails in the owner key entirely and just relying on the commit history?

[17sdheeraj]

Would it be worth dropping emails in the owner key entirely and just relying on the commit history?

I think it would be best if the contact info and other info gets collected via discord or google forms or some other platform so that the admins will have access to the info and public wont. Also it would be best if you all send a mail to the peoples emails in the json files informing them to ignore/block the spam mails they have been receiving.

[17sdheeraj]

Also change the issue's labels if possible

[17sdheeraj]

The spams are getting more and more day by day

[xzonix]

The spams are getting more and more day by day

Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.

[wdhdev]

@phenax Could we use an external DB of some sorts?

[phenax]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.

But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.

We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.

@is-a-dev/maintainers, what do you all think?

[17sdheeraj]

The spams are getting more and more day by day

Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.

If that is the case that means they are fetching emails from github instead of scraping and storing them

[xzonix]

The spams are getting more and more day by day

Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.

If that is the case that means they are fetching emails from github instead of scraping and storing them

Probably they are.

[DEV-DIBSTER]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.

But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.

We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.

@is-a-dev/maintainers, what do you all think?

Damage has already been done sadly but yes, I do think we should:

1) Remove the email field. 2) Switch over to Discord ID contact. 3) Hope for the best from the changes.

[17sdheeraj]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me. But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions. We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps. @is-a-dev/maintainers, what do you all think?

Damage has already been done sadly but yes, I do think we should:

1. Remove the email field.
2. Switch over to Discord ID contact.
3. Hope for the best from the changes.

I agree

[17sdheeraj]

The spams are getting more and more day by day

Yo bro, this also happened to me, luckily, i acted fast and removed my email from the JSON file and didn't got more emails. Just leave "mail" in blank and add Discord to the JSON.

If that is the case that means they are fetching emails from github instead of scraping and storing them

Probably they are.

That means we can stop them if we remove the email field

[xzonix]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.

But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.

We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.

@is-a-dev/maintainers, what do you all think?

Damage has already been done sadly but yes, I do think we should:

1) Remove the email field. 2) Switch over to Discord ID contact. 3) Hope for the best from the changes.

I definitely agree

[wdhdev]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.

I created https://data.is-a.dev a few months to a year ago basically to prove how is-a.dev is literally just a data farm for scammers.

But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.

Yeah that would work, however what would we do with existing domains, just only have GitHub usernames? Also this brings up another issue, what do we do with domains where the original author's account has been deleted, and what do we do with username changes, because we can't exactly rely on people to immediately update their info.

We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.

Yeah not much we can do about that, however removing them all from the main repo would help.

[17sdheeraj]

Let's not ask for email anymore? It was a bad idea to ask for that in the first place. Who came up this terrible system? Oh right, it was me.

I created https://data.is-a.dev a few months to a year ago basically to prove how is-a.dev is literally just a data farm for scammers.

But I think any reliable means to contact them is more than good enough and since a lot of our users are also on discord, that seems like a good default. If not that, twitter, mastodon, etc. works just as well. At least 1 more way to get in touch other than github. If all else fails, we still have the github username to tag them on issues or discussions.

Yeah that would work, however what would we do with existing domains, just only have GitHub usernames? Also this brings up another issue, what do we do with domains where the original author's account has been deleted, and what do we do with username changes, because we can't exactly rely on people to immediately update their info.

We can also remove all existing emails or encrypt them in-place but that information is already spread accross thousands of forks and all PRs so not sure how much that helps.

Yeah not much we can do about that, however removing them all from the main repo would help.

Why don't you guys make the data.is-a.dev private and collect info and keep it in there for admins

[MaskDuck]

@0v90 's suggestion which fell into my DMs

[creeperita09]

Yep me got the email in the second screenshot

[xzonix]

@0v90 's suggestion which fell into my DMs

Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.

[17sdheeraj]

@0v90 's suggestion which fell into my DMs

Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.

Yea this idea is good but it would take a little time to code it and stuff

[xzonix]

@0v90 's suggestion which fell into my DMs

Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.

Yea this idea is good but it would take a little time to code it and stuff

Yes, it can be hard to code, but it's for yall's security

[17sdheeraj]

Yes, it can be hard to code, but it's for yall's security

Yes

[phenax]

Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.

I think this introduces a weird bit of complexity that's better avoided. Although if we all agree that having users' email address is worth that complexity then we can go with this.

however what would we do with existing domains, just only have GitHub usernames?

We can send people an email letting them know that we're removing email addresses and to update their contacts. If they do that or don't is up to them.

But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.

On a side note, what if we screw with people scraping this information a bit? Change the emails to point to nothing, making them unusable but still giving them a false sense that this is reaching someone.

[ghost]

1. Remove the email field.
2. Switch over to Discord ID contact.
3. Hope for the best from the changes.

I generally think any direct showen revealed "social contact" that directy links to any person is any good for their privacy , rather to be encrypted and maybe even given a unique ID for the user themselves , so none of their info is exposed publicly

[ghost]

Another idea would be, that you must provide the email on the is-a.dev website, and when you send the email/data, it automatically sends it to data.is-a.dev instead of doing it via github jsons.

I think this introduces a weird bit of complexity that's better avoided. Although if we all agree that having users' email address is worth that complexity then we can go with this.

however what would we do with existing domains, just only have GitHub usernames?

We can send people an email letting them know that we're removing email addresses and to update their contacts. If they do that or don't is up to them.

But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.

On a side note, what if we screw with people scraping this information a bit? Change the emails to point to nothing, making them unusable but still giving them a false sense that this is reaching someone.

For now the most important thing is focusing on the secuirty/privacy part of the current users , and messing up with those who ever is behind the phising attacks may come later after dealing with point 1 most importantly!

[ghost]

suggestion

It was never said to be easy , it will indeed be complex , getting the data encrypting them , giving them a unique ID and so on , that actually can be the easy part , the hard one is storing them in data base and actually working with the data base its self , which for sure will be a big of a hustle specially with hundered of thousands of users or ever more! , but is it worth it , that's really up to you to evalute it the way you want , but IMO it may be one of the ways to secure the user info , and make no info regards to them publicly exposed to anyone , rather just the devs of the project.

This is just one idea , there is definitely more ideas and even more better ones.

[17sdheeraj]

It was never said to be easy , it will indeed be complex , getting the data encrypting them , giving them a unique ID and so on , that actually can be the easy part , the hard one is storing them in data base and actually working with the data base its self , which for sure will be a big of a hustle specially with hundered of thousands of users or ever more! , but is it worth it , that's really up to you to evalute it the way you want , but IMO it may be one of the ways to secure the user info , and make no info regards to them publicly exposed to anyone , rather just the devs of the project.

This is just one idea , there is definitely more ideas and even more better ones.

Yes, It would be good if there was a poll or something based upon this so people add their ideas and people vote the best one.

[DEV-DIBSTER]

I generally think any direct showen revealed "social contact" that directy links to any person is any good for their privacy , rather to be encrypted and maybe even given a unique ID for the user themselves , so none of their info is exposed publicly

Why I understand where you're getting at with this (less user information publicly) I believe as a temporary and easy solution is to lock it down to a platform which can limit any form of direct spam.

An email is an email, anyone who get's their hands on someone's email can send mail to it, or sign it up for newsletters, and nothing is stopping these sites or scammers from sending it. Nobody sends newsletters through Discord. The worst thing in my opinion is either a tiny increase in friend requests or message requests. That's it.

We can think of long term solutions here, but as a quick fix, just limit it to a Discord ID. Every staff member here has Discord from what I'm aware of. Yeah that's my two cents.

[ghost]

We can think of long term solutions here, but as a quick fix, just limit it to a Discord ID. Every staff member here has Discord from what I'm aware of. Yeah that's my two cents.

I can still write a " friend request " spam bots to all these ID's, but yes the spam messages would be none to few if the person accept few of these friend requests and message dms, but still , another idea but not completely secure/private for the user info. The idea is indeed limiting a lot more limiting than emails , but how limiting it's overall and actually how affective will it be that my self I don't know either, I guess we would have to wait and see if the idea to be considered.

[wdhdev]

But I would still like to point out that once we remove all the email addresses, whats stopping someone from going 1 commit before the change. Even if we rebase everything since the dawn of time, any recent forks can still be used. We should still do it but if we can think of a solution to obscure it better, we should consider it.

Maybe @github-staff could somehow purge all forks and rebase the entire repo? It would be a bit complicated but it would do most of the work for us.

I can still write a " friend request " spam bots to all these ID's, but yes the spam messages would be none to few if the person accept few of these friend requests and message dms, but still , another idea but not completely secure/private for the user info. The idea is indeed limiting a lot more limiting than emails , but how limiting it's overall and actually how affective will it be that my self I don't know either, I guess we would have to wait and see if the idea to be considered.

A unique key would be best in this situation, then users can just link their Discord accounts and such through a web portal or something.

[wdhdev]

Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.

The owner key could be updated from an object to just a string value like this:

{
  "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}

We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.

[17sdheeraj]

Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.

The owner key could be updated from an object to just a string value like this:

{
  "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}

We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.

This is the best idea so far according to me

[MaskDuck]

Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.

The owner key could be updated from an object to just a string value like this:

{
  "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}

We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.

how about the people that prefers the old write-your-own-JSON based registration method? you ask them to pretend to be a bot and write a "string value" from scratch?

[17sdheeraj]

Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested. The owner key could be updated from an object to just a string value like this:

{
  "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}

We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.

how about the people that prefers the old write-your-own-JSON based registration method? you ask them to pretend to be a bot and write a "string value" from scratch?

For that I think they can make a discord bot which generates a id for the people so they can use it in their json

[wdhdev]

For that I think they can make a discord bot which generates a id for the people so they can use it in their json

That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?

[17sdheeraj]

For that I think they can make a discord bot which generates a id for the people so they can use it in their json

That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?

Yes, or the user gives their details to the bot and the bot stores them and gives the user an unique user id which can be used in json. The data will be sent to a database like data.is-cool.dev which will be only accessible by admins

[wdhdev]

Yeah that was my idea.

[17sdheeraj]

Yeah that was my idea.

Then you all can implement the idea

[wdhdev]

[17sdheeraj]

I have received the same

[17sdheeraj]

For that I think they can make a discord bot which generates a id for the people so they can use it in their json

That could be good. Like it encrypts their details with a hash/salt that can be decrypted using a master key?

Yes, or the user gives their details to the bot and the bot stores them and gives the user an unique user id which can be used in json. The data will be sent to a database like data.is-cool.dev which will be only accessible by admins

Any update on when you all will make a discord bot and fix this issue

[MaskDuck]

some of our users does not use Discord, I'm afraid.

[andrewstech]

Personally I think we should setup some unique ID based system (is there some sort of OSS that does this?) as multiple users in this thread have suggested.

The owner key could be updated from an object to just a string value like this:

{
  "owner": "k2H9rSQ6KB2373b3FeUR28WX8RxaZvn6"
}

We could probably (and fairly easily...) create a script to register all existing owner information with a database which then returns a custom ID like the one above and it will just update all domains to be like this.

Im actually making a similar system for open-domains. Im thinking we should also include the github user id in the encrypted data then ReviewMate should be able to decypt it and verify that the user hasn't copied and pasted someone else's if that makes sense

[andrewstech]

https://github.com/is-a-dev/owl - We now have a beta version running at https://owl.is-a.dev

you select an email from your github account and it will give you a unique ID. There is no DB and ID given to you is your email and github username/id encrypted

[17sdheeraj]

https://github.com/is-a-dev/owl - We now have a beta version running at https://owl.is-a.dev

you select an email from your github account and it will give you a unique ID. There is no DB and ID given to you is your email and github username/id encrypted

This looks cool but can we have an option to edit the email address as many people do not like giving their main email address and instead give their alt email address.

[17sdheeraj]

You all can add other fields like another email address field (just incase the main one doesn't work), discord id, twitter, and other stuff