Let me try this one more time: the people running these networks are not using hacked WiFi or single internet connections or even IP addresses that have poor reputations in any available system that a site can hook into any kind of reputational check. We already do the things you are suggesting, and we have for years. These tactics no longer work, because spam is a trillion-dollar industry and there is more than enough money sloshing around in the ecosystem to build systems that evade even the most sophisticated reputational checks. The people who run these networks have a massive supply of IP addresses from multiple netblocks, from multiple providers, that are completely clean in every reputational database, and they use them until they start building up negative reputation and then pass them along to someone else to deal with the shit reputation while they move on to the next group of clean ones. I guarantee you that if I pulled the IPs of our last 100 spam accounts, every single one of them will have a cleaner reputation than the IP address you are currently using. Because they stop using them when they start accumulating negative reputation.
We are not talking "hacked wifi" or "scam ISP" here. We are talking people operating out of buildings that have multiple network drops from multiple providers with multiple completely clean reputations. For shits and giggles I tracked the network origins of our spam account creations from Bangladesh for about a week, because Bangladesh has a small number of ISPs, they're all licensed by the government, and you can get a list of the current license holders and therefore an accurate and complete list of all ISPs operating in the country. At the time I did that, there were about 130 ISPs licensed to operate in Bangladesh. We saw spam from over 100 of them.
Likewise, if your only understanding of toll fraud comes from a Google search and reading a surface-level article by a provider of SMS verification services with a vested interest in assuring the reader that the problem is not as bad as it actually is, you do not understand the problem well enough to be making suggestions for it. Up until Elon Musk bought it and laid them all off, Twitter had a team of about 20 engineers whose full-time duty it was to minimize the amount of money Twitter loses annually to toll fraud, which, as of my last information (since everyone I knew at Twitter got laid off) was eight figures a year -- and that's with aggressive engineering work to detect and prevent it. Add that to the fact SMS verification does nothing to actually prevent spam, because the networks we are talking about have access to an infinite number of phone numbers and the hardware setups needed to swap them instantly. SMS verification is not a spamfighting tool and hasn't been since at least 2015. It is expensive, it is a privacy nightmare, and it does nothing to fix the problem.
Site behavior is also not an accurate spam detection system. We already do it! We have for years! It detects less than 5% of spam account creation, and some days less than 1%. We have spent the last two years building increasingly sophisticated detection and prevention systems, both using in-house tools and demoing various externally available systems. We have found one option that was better than a 50% hit rate, and it was a) around 60% and b) also would be a massive privacy nightmare to actually implement.
You do not understand the scope of the problem, the sophistication of the operations that are involved, the cost of every single system that exists to address the problem (and how bad every single one of them are at actually detecting spam), or the sheer volume of garbage we're talking about. Between Mark's and my contacts, we probably know at least half of the top 100 people in the world at dealing with this problem at scale, and we have talked the issue out with them extensively. The suggestions you are making are easy, obvious, and don't work to solve the problem because they are the attack methods everyone was using to fight spam a decade ago and the spammers already adapted to them.
no subject
Let me try this one more time: the people running these networks are not using hacked WiFi or single internet connections or even IP addresses that have poor reputations in any available system that a site can hook into any kind of reputational check. We already do the things you are suggesting, and we have for years. These tactics no longer work, because spam is a trillion-dollar industry and there is more than enough money sloshing around in the ecosystem to build systems that evade even the most sophisticated reputational checks. The people who run these networks have a massive supply of IP addresses from multiple netblocks, from multiple providers, that are completely clean in every reputational database, and they use them until they start building up negative reputation and then pass them along to someone else to deal with the shit reputation while they move on to the next group of clean ones. I guarantee you that if I pulled the IPs of our last 100 spam accounts, every single one of them will have a cleaner reputation than the IP address you are currently using. Because they stop using them when they start accumulating negative reputation.
We are not talking "hacked wifi" or "scam ISP" here. We are talking people operating out of buildings that have multiple network drops from multiple providers with multiple completely clean reputations. For shits and giggles I tracked the network origins of our spam account creations from Bangladesh for about a week, because Bangladesh has a small number of ISPs, they're all licensed by the government, and you can get a list of the current license holders and therefore an accurate and complete list of all ISPs operating in the country. At the time I did that, there were about 130 ISPs licensed to operate in Bangladesh. We saw spam from over 100 of them.
Likewise, if your only understanding of toll fraud comes from a Google search and reading a surface-level article by a provider of SMS verification services with a vested interest in assuring the reader that the problem is not as bad as it actually is, you do not understand the problem well enough to be making suggestions for it. Up until Elon Musk bought it and laid them all off, Twitter had a team of about 20 engineers whose full-time duty it was to minimize the amount of money Twitter loses annually to toll fraud, which, as of my last information (since everyone I knew at Twitter got laid off) was eight figures a year -- and that's with aggressive engineering work to detect and prevent it. Add that to the fact SMS verification does nothing to actually prevent spam, because the networks we are talking about have access to an infinite number of phone numbers and the hardware setups needed to swap them instantly. SMS verification is not a spamfighting tool and hasn't been since at least 2015. It is expensive, it is a privacy nightmare, and it does nothing to fix the problem.
Site behavior is also not an accurate spam detection system. We already do it! We have for years! It detects less than 5% of spam account creation, and some days less than 1%. We have spent the last two years building increasingly sophisticated detection and prevention systems, both using in-house tools and demoing various externally available systems. We have found one option that was better than a 50% hit rate, and it was a) around 60% and b) also would be a massive privacy nightmare to actually implement.
You do not understand the scope of the problem, the sophistication of the operations that are involved, the cost of every single system that exists to address the problem (and how bad every single one of them are at actually detecting spam), or the sheer volume of garbage we're talking about. Between Mark's and my contacts, we probably know at least half of the top 100 people in the world at dealing with this problem at scale, and we have talked the issue out with them extensively. The suggestions you are making are easy, obvious, and don't work to solve the problem because they are the attack methods everyone was using to fight spam a decade ago and the spammers already adapted to them.