Phishing

The credentials for your Apache account provide access to sensitive information and resources, so you must protect them responsibly. Phishing attacks, in which malicious actors try to steal your credentials, are getting more sophisticated. Sometimes phishing attempts may even appear to be coming from apache.org addresses.

The ASF, its projects, and committees will only ask you for your credentials on websites served over https under the apache.org domain.

We never send emails with subjects like:

  • 'cPanel delaying incoming messages'
  • 'Important notification: Account password is set to expire'
  • 'ATTENTION: Incoming Pending Messages'
  • 'Action Required!!-Account Update'
  • 'Password Notification for PROJECTNAME on ...'
  • 'Release Blocked Incoming Messages'
  • 'Your ...@apache.org Rectification'
  • 'Unauthorized Mailbox Log-in Detetced on ...'
  • 'Deactivation of mailbox due to domain expiration'
  • '[14] pending incoming mails'
  • 'Syncing Error - (.) Incoming failed!'

These are phishing — some may even use our imagery and copycat websites. Your best actions are to:

  • not respond to the email
  • forward the message, with full headers, to root@apache.org.

Further,

  • Do not divulge your credentials to any service outside of apache.org.
  • In any email claiming to come from an apache.org address, do not click on any 'reset' or 'reauthenticate' links. We never ask you to do this.
  • If you think you have been a victim of phishing, reset your ASF password at id.apache.org.

If you are unsure whether an email is actually from the ASF, contact the Infra team. Better safe than sorry!

Copyright 2024, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache feather logo are trademarks of The Apache Software Foundation.