Deleted organisations (spammers) still send out installation events for apps


#1

Hiya, in recent days we’ve been seeing multiple instances of spam orgs with thousands or tens of thousands of repos (eg. https://api.github.com/users/dalavanmanphonsy), which then install our app on all repositories. The spam accounts themselves are usually deleted quickly by GitHub, but the installation events keep coming. We can manually ignore them, but that forces us to stay on top of an avoidable problem, plus it seems like legitimate install events are delayed quite severely on the GitHub side already, since it’s busy sending install events for thousands of repos that no longer exist.

So basically: would be great if deleted orgs/repos wouldn’t send app installation events.

Thanks! :wave:


#2

:wave: @espy,

thanks for your patience and apologies for the troubles caused. We deployed last week changes to prevent spammy installers or spammy installation targets from installing GitHub Apps. Please note that this requires the installer/target to be flagged as a spammy user.

We still have pending dealing with installations that happened before the fix.

HTH,
Víctor