acori

I liked it here.

There was a lot I never got to explore here. It was cool watching everyone else though. Maybe someday I'll open up like that too.


website (RSS and cohost shrine will be added after read-only)
acorisage.neocities.org/

Osmose
@Osmose

Not just on Twitter. I spent a significant amount of time supporting anti-spam measures at Discord and it is a huge issue for every major site out there. I'm certain I've written this before but writing it again will help me remember it all lol.

Captchas are mostly defeated at this point, and any good spam operation is farming things like captchas out to humans anyway: there are shady companies that offer an API that your script can call and receive a solved captcha code within seconds after a human solved it for you.

Phone verification is still useful because it relies on phone companies / credit card companies verifying an identity, but there are a fair amount of phone carriers around the world that either sell their numbers to spammers or are compromised by someone selling their numbers. SIM swaps are also common, which is part of why you should never rely on SMS 2fa since I can pay an underpaid store clerk at T-Mobile to swap your number into a SIM card for cheap. Twilio tries to make phone verification better by combining data about completed phone verifications from all their customers but this is less focused on spam and more on direct SMS fraud.

Most other anti-spam measures are variations on a rules engine where both manual and machine-learning algorithms try to identify behavior that is strongly correlated with spammer activity by slurping up every action that happens on the platform and marking anyone who "looks" like a spammer with varying degrees of confidence. This works... okay, depending on the effort and money you put into it.

There's also private access tokens, which are essentially a captcha alternative where Apple/Google confirm via cryptography that you own a valid piece of their hardware (i.e. you're not a bot on a cloud server), have an account in good standing on their services, haven't been rate limited by them, etc. This is essentially streamlined phone verification but the company that made your device is the one doing the verification at the time of purchase. This has good potential in terms of verification, but there are serious concerns around the ability for third party browsers to support this and around handing the job of identity verification and control over who can access which websites to Google and Apple.

The general framework for anti-spam isn't to stop it perfectly, it's to make it more expensive to bypass verifications than the profit you stand to make by doing so. That's how Twitter ends up with subscriptions and charging new accounts—the potential profit is a nice-to-have (but not necessarily profit given the money being lost to spammers in the first place) but the cost is more about offsetting how creating and operating spam accounts keeps becoming cheaper and it's still profitable to do so.

But why doesn't Twitter just do some simple things like ban any accounts that post pussy-in-bio on random tweets immediately?

  • Possibly incompetence or planning gridlock blocking someone from making the change.
  • Spam may not be hurting Twitter's topline metrics (i.e. people don't hate it enough to stop using Twitter in meaningful numbers) enough to bother—instead anti-spam measures really are just using spam as a justification for profit extraction.
  • It may be prohibitively expensive to run a rule like that on every single tweet immediately—they might still be doing this kind of analysis in batches so spam accounts get banned after a few hours.
  • It's pretty easy for spammers to notice when a rule as straightforward as that is blocking them, after which they'll improve their bots to post more randomized phrases—occasionally we would avoid rules that were easy to bypass and had no serious cost to avoid since they were mostly a waste of time vs working on rules that were harder to avoid.

The greater trend here is the same as with LLMs: The internet is accumulating waste faster than our ability to identify it can manage. This will remain true as long as large, centralized "communities" are the norm. IMO the best way to avoid this at this point is to invest in smaller, more localized communities. Spam is profitable despite a poor conversion rate because they can reach out to everyone—the ROI on small servers or websites isn't high enough to be profitable, and by extension small servers or websites are a great way to disincentivise spammers.


brainwane
@brainwane

I love explanations of why the "why don't they just" solutions aren't as surefire as they may seem.


You must log in to comment.

in reply to @Osmose's post:

I wonder about this a lot - it seems like the bulk of these bots on Twitter could be identified in the basis of their behaviors, but never having actually worked in that particular field, IDK what I'm missing.

A bunch of GirlNameBunchOfNumbers accounts that have follow requests out to private accounts they have no network adjacency with? Accounts which only ever reply random bullshit and never actually post?

But who knows. In Twitter's case now, I suppose this is fine for Myself since it's been monetized.

Yeah, the bulleted list near the bottom of the post addresses why they might not be doing the obvious thing, because you're right: it would not be difficult to come up with the rules.

I mean, it seems easy, but I've done enough work to know false positives are a lot easier to get, and harder to notice, than we might assume.

And if you have to provide an appeal mechanism, the bots could use it too... I get exhausted just thinking about it

I signed up to twitter and had to complete twenty captchas before I was allowed to sign up. After signing up, I was also not allowed to post comments on tweets for a while. Following this, I, a (-n ostensibly) human, received multiple follows every day from bot accounts (usually with women's profile pictures and usually with zero tweets).

The current methods seem to not affect bots at all, and make everything worse for actual people.

But at this point, I'm kind of feeling like an accelerationist who just wants the current internet to die so the new internet can be here. This shit don't work.

The current methods seem to not affect bots at all, and make everything worse for actual people.

One thing I can say confidently is that the current methods do affect bots, it is simply that there is so much spam that the ones that get through still are enough to net you multiple follows a day if you are in their sights. They're not nearly enough, but they are not useless.

(Interestingly, my main Twitter account has only gotten maybe 5 spam follows in the past year while my alt gets 5 a day, the circumstances under which you get noticed and hit by bots shooting out follows are random and unknowable.)

Pinned Tags