My domain got abused on Github Pages
My domain got abused on Github Pages
我的域名在 GitHub Pages 上被滥用了
May 10, 2026 2026年5月10日
The last few weeks I traveled through Africa, with barely any internet. At some point I got an email from Google Search Console about a new owner for the domain https://kafka.immersivepoints.com/. Weird… My immersivepoints.com domain is only used for one website hosted as a GitHub page. The website is for my 3D and VR point cloud visualizer, which in practice is just a simple hosted html page. There definitely is no Kafka involved here, let alone that I knew the new owner of this subdomain. 过去几周我一直在非洲旅行,几乎没有网络。某天,我收到了一封来自 Google Search Console 的邮件,称 https://kafka.immersivepoints.com/ 域名有了新的所有者。这很奇怪……我的 immersivepoints.com 域名只用于托管一个 GitHub Pages 网站。该网站是我用于 3D 和 VR 点云可视化的工具,实际上只是一个简单的 HTML 页面。这里绝对没有涉及 Kafka,更不用说我根本不认识这个子域名的新主人。
After I regained access to a normal speed internet connection I started digging. First check was my DNS records, but initially nothing seemed off there. I simply forwarded the domain to the servers of GitHub, with a wildcard to also catch any subpage (such as www.immersivepoints.com). That’s unfortunately where the problem was… 在恢复正常网速后,我开始深入调查。首先检查的是 DNS 记录,起初看起来并无异常。我只是将域名转发到了 GitHub 的服务器,并设置了通配符以捕获任何子页面(例如 www.immersivepoints.com)。不幸的是,问题就出在这里……
GitHub pages is an amazing feature of GitHub! It allows you to host a static webpage for your GitHub account, a repository, or just a cool project you want to show off! I use it a lot for my own website and blog (including what you read here), and it enables you to quickly and easily show off projects to friends without messing with individual servers (or even paying for the hosting of projects nobody uses anyways). GitHub Pages 是 GitHub 的一项出色功能!它允许你为 GitHub 账户、存储库或任何你想展示的酷项目托管静态网页。我经常用它来搭建自己的网站和博客(包括你现在读的这篇),它能让我快速轻松地向朋友展示项目,而无需折腾独立的服务器(甚至不必为没人访问的项目支付托管费用)。
Setting up a GitHub page is easy: in your DNS records you point the domain you want to host to the IPs where GitHub hosts your page. On your GitHub repository you configure the URL of your website (which ends up in your repository as a CNAME file). Normally you point one domain to these GitHub servers, and I assumed that only one GitHub user can ‘own’ a domain. That is: I assumed that only I could make subpages for *.immersivepoints.com. I guess I was wrong. 设置 GitHub Pages 很简单:在 DNS 记录中,将你想托管的域名指向 GitHub 托管页面的 IP 地址。在 GitHub 存储库中,配置网站的 URL(这最终会在存储库中生成一个 CNAME 文件)。通常你会将一个域名指向这些 GitHub 服务器,我原以为只有一个 GitHub 用户可以“拥有”一个域名。也就是说,我以为只有我能为 *.immersivepoints.com 创建子页面。看来我错了。
It looks like GitHub always tries to resolve any domain, as long as there is any repository which has this CNAME file. In this case someone set up kafka.immersivepoints.com. They even did this from a private GitHub repository, which means I can’t even flag that specific repository. Because my DNS settings forwarded everything of this domain to GitHub anyone could use or abuse my domain. 看起来只要有任何存储库包含 CNAME 文件,GitHub 就会尝试解析该域名。在这种情况下,有人设置了 kafka.immersivepoints.com。他们甚至是从一个私有存储库中完成的,这意味着我甚至无法举报那个特定的存储库。由于我的 DNS 设置将该域名的所有流量都转发到了 GitHub,任何人都可以使用或滥用我的域名。
This problem is not new, I already found a couple of tools (ironically hosted on GitHub) which would help you find domains which are available to steal! For example, this one: https://github.com/EdOverflow/can-i-take-over-xyz. In my case I don’t know how long my domain has been abused this way, and would have never noticed if I did not set up Google Search Console for myself last month. 这个问题并不新鲜,我已经发现了一些工具(讽刺的是它们也托管在 GitHub 上),可以帮助你找到可以被“窃取”的域名!例如这个:https://github.com/EdOverflow/can-i-take-over-xyz。就我而言,我不知道我的域名被这样滥用了多久,如果不是上个月我为自己设置了 Google Search Console,我永远也不会发现。
In the end I noticed a few more emails from Google Search Console - as in the past weeks I was updating my blog anyways I completely missed these! I hope nobody fell victim to the undoubtedly shitty slot machine scam sites which were hosted on my domain. As Google already has issues indexing my blog and pages I guess not a lot of people will have found these subdomains. 最后,我注意到还有几封来自 Google Search Console 的邮件——因为过去几周我一直在更新博客,完全错过了这些提醒!我希望没有人成为托管在我域名上的那些垃圾老虎机诈骗网站的受害者。由于 Google 在索引我的博客和页面时已经存在问题,我想应该没有多少人会发现这些子域名。
This brings me to the question of “who is at fault here”. I guess I should have better set up my DNS records, but I did not have a good understanding of DNS records (and still don’t really understand them). Personally I think it would be good if there is better verification on the GitHub side of who owns a domain, or which users are allowed to build on top of their subdomains. For example, if two different users want to use the same high level domain, let the first user verify that the other user is allowed to host a GitHub page there. Another option could be adding a specific TXT record on the DNS side for each GitHub user which is allowed to use your subdomain. I’m not sure how big this scam is, but every bit helps! 这引出了一个问题:“到底是谁的错”。我想我应该更好地设置 DNS 记录,但我对 DNS 记录了解不多(现在依然不太懂)。个人认为,如果 GitHub 能在验证域名所有权或允许哪些用户在其子域名上构建内容方面做得更好,那就太好了。例如,如果两个不同的用户想使用同一个顶级域名,可以让第一个用户验证是否允许其他用户在那里托管 GitHub 页面。另一个选择是在 DNS 端为每个被允许使用你子域名的 GitHub 用户添加特定的 TXT 记录。我不确定这种诈骗规模有多大,但任何一点防范措施都有帮助!
Last but not least, I reported the pages to GitHub, and hope that the account which hosts them gets banned! I didn’t hear anything back yet. 最后但同样重要的是,我已经向 GitHub 举报了这些页面,并希望托管它们的用户账户能被封禁!目前我还没有收到任何回复。
Post Scriptum 附言
After writing this blog I re-investigated GitHub custom domains. I did find that you can verify a domain for your user site: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages. I didn’t spot this feature before, and getting the setting correct is something which is part of your account settings rather than your repository settings. I think GitHub could show a larger flashing warning on the repository settings page if they notice you did not verify your domain, or if they think your DNS is configured incorrectly. 写完这篇博客后,我重新研究了 GitHub 自定义域名。我确实发现你可以为你的用户站点验证域名:https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages。我之前没注意到这个功能,而且正确配置该设置属于账户设置的一部分,而不是存储库设置。我认为,如果 GitHub 检测到你没有验证域名,或者认为你的 DNS 配置不正确,可以在存储库设置页面显示一个更醒目的闪烁警告。