Phishing

The credentials for your Apache account provide access to sensitive information and resources, so you must protect them responsibly. Phishing attacks, in which malicious actors try to steal your credentials, are getting more sophisticated. Sometimes phishing attempts may even appear to be coming from apache.org addresses.

The ASF, its projects, and committees will only ask you for your credentials on websites served over https under the apache.org domain.

We never send emails with subjects like:

• 'cPanel delaying incoming messages'
• 'Important notification: Account password is set to expire'
• 'ATTENTION: Incoming Pending Messages'
• 'Action Required!!-Account Update'
• 'Password Notification for PROJECTNAME on ...'
• 'Release Blocked Incoming Messages'
• 'Your [...@apache.org] Rectification'
• 'Unauthorized Mailbox Log-in Detetced on ...'
• 'Deactivation of mailbox due to domain expiration'
• '[14] pending incoming mails'
• 'Syncing Error - (.) Incoming failed!'

These are phishing — some may even use our imagery and copycat websites. Your best action is to ignore them.

If you are unsure whether an email is actually from the ASF, contact the Infra team - better safe than sorry!