Not just on Twitter. I spent a significant amount of time supporting anti-spam measures at Discord and it is a huge issue for every major site out there. I'm certain I've written this before but writing it again will help me remember it all lol.
Captchas are mostly defeated at this point, and any good spam operation is farming things like captchas out to humans anyway: there are shady companies that offer an API that your script can call and receive a solved captcha code within seconds after a human solved it for you.
Phone verification is still useful because it relies on phone companies / credit card companies verifying an identity, but there are a fair amount of phone carriers around the world that either sell their numbers to spammers or are compromised by someone selling their numbers. SIM swaps are also common, which is part of why you should never rely on SMS 2fa since I can pay an underpaid store clerk at T-Mobile to swap your number into a SIM card for cheap. Twilio tries to make phone verification better by combining data about completed phone verifications from all their customers but this is less focused on spam and more on direct SMS fraud.
Most other anti-spam measures are variations on a rules engine where both manual and machine-learning algorithms try to identify behavior that is strongly correlated with spammer activity by slurping up every action that happens on the platform and marking anyone who "looks" like a spammer with varying degrees of confidence. This works... okay, depending on the effort and money you put into it.
There's also private access tokens, which are essentially a captcha alternative where Apple/Google confirm via cryptography that you own a valid piece of their hardware (i.e. you're not a bot on a cloud server), have an account in good standing on their services, haven't been rate limited by them, etc. This is essentially streamlined phone verification but the company that made your device is the one doing the verification at the time of purchase. This has good potential in terms of verification, but there are serious concerns around the ability for third party browsers to support this and around handing the job of identity verification and control over who can access which websites to Google and Apple.
The general framework for anti-spam isn't to stop it perfectly, it's to make it more expensive to bypass verifications than the profit you stand to make by doing so. That's how Twitter ends up with subscriptions and charging new accounts—the potential profit is a nice-to-have (but not necessarily profit given the money being lost to spammers in the first place) but the cost is more about offsetting how creating and operating spam accounts keeps becoming cheaper and it's still profitable to do so.
But why doesn't Twitter just do some simple things like ban any accounts that post pussy-in-bio on random tweets immediately?
- Possibly incompetence or planning gridlock blocking someone from making the change.
- Spam may not be hurting Twitter's topline metrics (i.e. people don't hate it enough to stop using Twitter in meaningful numbers) enough to bother—instead anti-spam measures really are just using spam as a justification for profit extraction.
- It may be prohibitively expensive to run a rule like that on every single tweet immediately—they might still be doing this kind of analysis in batches so spam accounts get banned after a few hours.
- It's pretty easy for spammers to notice when a rule as straightforward as that is blocking them, after which they'll improve their bots to post more randomized phrases—occasionally we would avoid rules that were easy to bypass and had no serious cost to avoid since they were mostly a waste of time vs working on rules that were harder to avoid.
The greater trend here is the same as with LLMs: The internet is accumulating waste faster than our ability to identify it can manage. This will remain true as long as large, centralized "communities" are the norm. IMO the best way to avoid this at this point is to invest in smaller, more localized communities. Spam is profitable despite a poor conversion rate because they can reach out to everyone—the ROI on small servers or websites isn't high enough to be profitable, and by extension small servers or websites are a great way to disincentivise spammers.
I love explanations of why the "why don't they just" solutions aren't as surefire as they may seem.
