How to protect spam bot attacks in Discussion?

[serge-rider]

Select Topic Area

Question

Body

Last week we experience a massive spam attack in our discussion: https://github.com/orgs/dbeaver/discussions
Several thousands of new discussions and comments are created every day. Eventually Discussions become useless.

We cannot block spam bots by reporting every single one to GitHub (new ones created faster than we block them).
We cannot block them by ourselves because moving a user to a block list doesn't prevent it to create new discussions (it works only for issues/PRs).

DBeaver is a popular community with thousands of users. But we will have to close discussions completely next week.

Is there any other possibility?

[Xelliese]

One thing you could try is tightening up your account creation process, like adding email verification or CAPTCHAs. Another option might be using automated spam detection tools, although they might not catch everything.

[LiteBrite82]

@serge-rider,
We feel your pain! We have a small team (myself included) that takes care of the spam that makes it past our AI filters in this discussion board; not to mention GitHub as a whole. You can mitigate by Limiting interactions in your repository.

Admins can also block/ban individual users in the "comment options" dropdown; it also has an option to delete or hide all of that users posts (batch) to save time.

[nicholaszein]

Unfortunately, these options are only available to comments. The initial post doesn't have this option. You have to block each one manually in the Moderation settings and delete the discussion, also manually (unless to spend time creating an automation, which is a huge waste of time).

It would help if we had the option to select multiple discussions in the discussions list (just like with Issues) and perform actions like delete and block authors.

[nicholaszein]

We are also suffering from this problem in our organization's discussions.

I had to change all categories to the "Announcement" type to prevent users from posting. I am now painstakingly deleting thousands of posts one by one.

[jricciardi]

FYI folks, we have escalated this internally. I can't share timeline or make promises on their behalf, but the team responsible for mitigating GitHub-wide spam is aware of this new abuse vector and is prioritizing it alongside other GitHub-wide abuse vectors.

[LiteBrite82]

@serge-rider
We Just added some new functionality for organizations deleting posts when blocking users: Delete discussions when blocking their author from your organization #134309

[Burhan-Q]

This is great to hear! One problem I have encountered personally in trying to deal with spam Issues, Discussions, and Topics is that after reporting 4-5 users, I get blocked for "high number of reports" in rapid succession. I understand why there needs to be a cooldown for reporting user accounts, but that means that that account can only be blocked from the organization, while still operating elsewhere on GitHub.

Perhaps using some other metrics to give "weight" to the report would help? As in, if the age of the reported account is low, but the comment/issue/discussion activity is high, and the account is reported, it would have heavy weight. For long standing accounts, with mixed or sparse activity, maybe lighten the "weight" to avoid taking action on a real account (just one thought off the top of my head).

I've opened a support ticket about this as well, but haven't heard back. We've experienced numerous instances where users with accounts only a few hours or days old, opening 20-30 discussions/issues in the repo. When there are 15-20 of these accounts, it means only one person can report ~1/4 of them before getting timed out. Seems a bit backwards and would be great to have some help from GitHub on this.

[LiteBrite82]

@Burhan-Q
That information is so valuable! can you create a new discussion around it so its easier to track?

[freelerobot]

Any updates on this? We're a newish 22k ⭐️ repo, and getting phishing/malware comments on every single new issue created.

Pattern:

1. Scam account comments a malicious link within ~5 seconds
2. Scam account is older than 1 years, in most cases
3. We block them from the org
4. The account disappears from the blocked list - likely their automating rotating usernames or deleting the account?
5. New accounts are used each time

Github has become our biggest risk vector for users

[LiteBrite82]

Hi @0xSage , 👋🏻 We really appreciate you flagging this. The best route to get this to the proper GitHub team is to use our abuse reporting tools. Here's all the info:

• Reporting abuse or spam
• Reporting a user
• Reporting an issue or pull request
• Reporting a comment

You can report behavior and content that violates community guidelines and terms. For this and any future incidents, please refer to the links above.

Thank you!

[LiteBrite82]

@0xSage what is the repo name / link?

[freelerobot]

Update:

• Github responded very quickly to each case, and blocked the underlying accounts
• The bot stopped after about 1 hour

Kudos to Github team for promptly shutting down the bot accounts.
Presumably, they spent money buying those accounts so this is the best resolution^

Incidence samples:

• bug: updater is broken for v67, 68 janhq/cortex.cpp#1264 (comment)
• idea: A subcommand is required should just stdout -h janhq/cortex.cpp#1262 (comment)

Repos:

• https://github.com/janhq/jan and
• https://github.com/janhq/cortex.cpp

Long term, I'm wondering if a moderation tool like Discord, where mods can ban certain phrases/regex in Github issues/comments would be amazing. We're on Enterprise, so this would be a little feature we dont mind paying for. 🙏

[gjsjohnmurray]

@jricciardi @LiteBrite82 https://github.com/microsoft/vscode-discussions/discussions/ is being badly affected by this problem. It would help if repo owners could block access from GH accounts that are "new" or that don't have an established reputation of non-recent contributions to other repos.

[Anutrix]

The issue is seen in winget-cli repo too: https://github.com/microsoft/winget-cli/issues?q=is%3Aissue%20state%3Aopen%20author%3Amindmasterzonk
microsoft/winget-cli#4958
microsoft/winget-cli#4957
microsoft/winget-cli#4956
microsoft/winget-cli#4955

These spam bots create ticket immediately after account creation it seems.
Shoudn't Microsoft/Github limit the number of issue creations as soon as account is created. Limit it to 5/10 for first day or something.

[ghost]

Hi @jricciardi @LiteBrite82 we're seeing this as well (newish repo - ~22k stars). Our PR's are being spammed. Any help here would be appreciated

Examples -

• Litellm staging 05 10 2025 - openai pdf url support + sagemaker chat content length error fix  BerriAI/litellm#10724
• complete unified batch id support - replace model in jsonl to be deployment model name  BerriAI/litellm#10719 (comment)

[NarendraJoglekar]

One thing you could try is tightening up your account creation process, like adding email verification or CAPTCHAs. Another option might be using automated spam detection tools, although they might not catch everything.

[RidmaShehan]

How to protect against spam bot attacks in GitHub Discussions

GitHub provides several built-in tools to reduce and control spam in Discussions, but there is no single “anti-spam switch”. Protection works best when you combine multiple controls.

---

1️⃣ Restrict who can create discussions

You can limit participation to trusted users.

Path:

Options include:

• Only contributors
• Only users with repository access
• Disable discussions entirely if needed

This is the most effective way to stop bot-created discussions.

---

2️⃣ Use moderation tools

For existing spam:

• Close the discussion
• Lock the discussion (prevents replies)
• Hide comments (moderators only)
• Report abuse (for policy violations)

Hidden comments remain invisible to the public but preserved for moderation review.

---

3️⃣ Require account maturity (implicit protection)

GitHub automatically limits actions for:

• Brand-new accounts
• Accounts with suspicious activity

This protection is automatic and not configurable, but it helps reduce bot spam.

---

4️⃣ Disable links and markdown abuse (manual enforcement)

Most spam relies on links. As a moderator:

• Remove comments with malicious URLs
• Lock threads used only for link dumping
• Add a rule in your repo’s Code of Conduct against promotional content

---

5️⃣ Use GitHub Actions for monitoring (advanced)

While Actions cannot block posts directly, they can:

• Monitor new discussions
• Detect spam keywords or excessive links
• Notify maintainers automatically

Example use cases:

• Alert when a discussion contains known spam patterns
• Auto-label suspicious discussions

---

6️⃣ Add clear community rules

Create a pinned discussion like:

🚫 No promotions, SEO links, or unrelated content
⚠️ Spam will be removed and accounts reported

Clear rules reduce repeat abuse and justify moderation actions.

---

7️⃣ Disable Discussions temporarily (last resort)

If spam becomes unmanageable: