There's two different but both problematic things here:
- Really poorly written spam detection.
- Failure to notify customers/no remediation procedure.
No doubt people will bring up "but then the spammers will know!!" Or similar, but honestly spammers are already limited by the cost of buying SIM cards ($5/ea), and I feel like customers being negatively impacted outweighs the minor benefit to spam-fighting (particularly when spammers could buy a single second number and detect this 100% of the time anyway).
Plus I'd be pretty upset if I was a customer paying for service, and I lost access to a part of that service for 10 days because I sent the word "butt" in a conversation. I'd feel particularly irritated if I wasn't told that my messages weren't delivered, and vital ones were just going into a void.
drtillberg 1363 days ago [-]
For SaaS like Strava or something, I'm agnostic whether the notice should come before the shut-off alleging a TOS violation. For cellular service though, SMS is integral to life. 911 even accepts SMS. Imagine T-Mobile silently dropping 911 SMS communications because someone texted the wrong word? Which isn't even in the TOS?
This is like dangling chum in the water, waiting for a big shark to chomp your leg, T-Mobile and whatever individual engineer came up with this.
ThePowerOfFuet 1362 days ago [-]
Did anyone allege that sending SMS to 911 was affected?
edoceo 1362 days ago [-]
No, we were just asked to imagine the effects of this poor implementation on emergency services.
t-writescode 1362 days ago [-]
Which is something that should be considered before writing this stuff and hopefully a T-Mobile engineer reads Hacker News to be encouraged to think about that and check it.
makethetick 1363 days ago [-]
Bulk SMS spam would most likely come from someone with direct signalling access and not from individual SIM cards which would be trivial to detect and block by the operator.
nullc 1362 days ago [-]
> which would be trivial to detect and block by the operator.
Wow, pretty inventive! You can get similar devices which plug into a computer and would be a lot easier.
jasonjayr 1363 days ago [-]
It is trivial, even for someone not that technically oriented to send a mass SMS from Android, with the appropriate app. Since it's easier to sideload on Android, it would be even easier for a malicious spammer to pay people to install sketchy APK's that spam from the user's phone relentlessly.
makethetick 1362 days ago [-]
This would be simple for the user to execute but it would very quickly be spotted by the operator as it's all from a single originating MSISDN.
Spreading the load over many users like your latter example would be a lot harder to spot, as would spamming through multiple SMS providers as you're diluting it (but it might also get picked up by the provider e.g. Twilio, MessageBird etc).
My point was that most spam originates from people with SS7 access and not SIM cards. It can also come through low cost SMS providers but is short lived as it's blocked the moment it's discovered or there's a complaint.
jasonjayr 1362 days ago [-]
How does one even obtain SS7 access w/o a AUP forbidding this kind of abuse? Or are the Telco owners making more money not caring @ that connection level?
seba_dos1 1362 days ago [-]
What's more, all you need is a broadband dongle and you can send SMS with a simple script straight from your PC - but as others already said, it's hardly a real source of spam.
jcrawfordor 1362 days ago [-]
I think there's an increasing amount of SMS spam being sent by random compromised consumer devices, which is probably what drove T-Mobile to take this sort of desperate measure. It would seem like notifying the customer is even more warranted in this case, though.
Geezus_42 1363 days ago [-]
The only SMS spam I ever get is from email addresses...
tyingq 1363 days ago [-]
PayPal has a similar problem. They do really loose string matching on the OFAC list[1], for any data, in any payment field...even a comment. Match a magic string in a comment, and your PayPal account gets locked down in a way that's very hard to undo.
Yeah this was a big thing back in the heyday of CSGO skin trading. Putting the word "damascus" into a transaction comment would get your account locked.
myself248 1362 days ago [-]
Which seems inept, as "Damascus steel" is a sought-after material for knife blades.
andybak 1362 days ago [-]
How loose is the string matching? That list looks full of incredibly common names from around the world.
tyingq 1362 days ago [-]
It seems pretty damn loose, but of course, it's hard to test since the outcome ruins your PayPal account. I found this: https://m.imgur.com/a/RnpRm
WrtCdEvrydy 1362 days ago [-]
that's what the SDN list really is, just some common names of people, organizations and countries.
it's up to you to figure out how to turn that into not selling to the wrong people and going to prison.
tyingq 1362 days ago [-]
True, but that doesn't seem like a good excuse for a dumb grep-ish solution on all fields.
Some smart terrorist is going to legally to change their name to "Thank You" and screw PayPal :)
WrtCdEvrydy 1362 days ago [-]
Because there's no downside to doing it this way while a lot of upside for 'being tough on terrorism'.
Good luck if someone sends you a payment for 'Cuban food' or 'Iranian Weapons of Mass Destruction'
Imagine the bullshit they've had to deal with, on many angles.
Hippocrates 1363 days ago [-]
This is a great reminder to switch from SMS to something that is e2e encrypted.
gallego2007 1362 days ago [-]
I was thinking the exact same thing. I need to convince a few family members to ditch SMS... unfortunately some businesses (like apartment buildings) still use SMS to communicate, so it’ll probably be a while before we fully move away from this medium.
simonebrunozzi 1362 days ago [-]
T-mobile is a joke. I lost my @simon Twitter account [0] because of T-mobile's and Twitter's utter incompetence, and it took me more than 3 months to regain control of it.
The way the attacker gained control of my phone number should have never been possible. I'm still a customer, why? Because there's no better alternative in the US, although I'm pondering Google Fi at the moment. Thoughts?
If you don't mind losing your phone number forever, Google Fi is a great option!
If Google Pay suspects fraud, it locks your account. Google Fi isn't paid for. Google locks your phone number from being ported out forever. Empowered human support wouldn't be Googley, so it's usually locked out forever.
T-Mobile isn't very competent, but at least, they provide humans who can fix things, eventually, once they figure out what they're doing.
organman91 1362 days ago [-]
It's just a single phone, but google fi has worked pretty well for my use case. I was impressed how well it worked when I went on vacation to Canada last year. If you don't need to have a half-dozen devices on one account there's really very little that gets you as much bang for your buck - unless I'm really burning through data my bill is usually $30/month.
timeinput 1363 days ago [-]
I ran into this a few months ago when texting the phrase "work from home" it was really strange. We rationalized it with the spam / phishing thought process, but it still seems wrong for the carriers to block messages so poorly.
It makes me wonder if I really want them filtering 'spam' calls.
tinfoil hat maybe that's their end game!
dzhiurgis 1361 days ago [-]
“Learn to code” is harassment on twitter
jasode 1363 days ago [-]
From the scant details about the word "BELLY" triggering the blocks, it looks like some hypothesize it's a "Scunthorpe" type of programming bug:
I don't see "cunt" or any similar string anywhere in the string "belly". As mentioned at TFA, this is more likely some sort of naive Bayes filtering since "belly" is often seen in "lose belly fat fast!" etc.
tyingq 1363 days ago [-]
The article reads like it's much less sophisticated than Bayes. Perhaps just "x messages that have belly in them over y time period". Where either x is too small, or y is too big.
LanceH 1362 days ago [-]
I would guess it is aimed as "reduce belly fat" spam.
1362 days ago [-]
chevman 1363 days ago [-]
T-Mobile has also not been approving new short codes on their network since earlier this year. Frustrating for folks trying to execute legit SMS comms.
toomuchtodo 1363 days ago [-]
Use case(s)? I’ve have success working with financial services firms moving their comms from short code to push notifications in app. Always curious who is still using bulk SMS and for what.
ryukafalz 1363 days ago [-]
As someone who dabbles in alternative mobile OSes (and would like to switch to one full-time again soon), it's frustrating when there isn't a fallback option to standard protocols. Thankfully email/SMS are still fairly ubiquitous, but I don't like the idea of that going away for something important like banking and being locked into one of the big two platforms.
toomuchtodo 1363 days ago [-]
Godspeed. SMS is unlikely to ever improve, consider more durable alternatives.
ryukafalz 1362 days ago [-]
Email is fine too! Or maybe RCS in the future, though I’m not sure if there’s a free RCS stack anywhere yet. But honestly, though I rarely use SMS for personal communication these days, it makes a pretty good fallback, and it’s damn near ubiquitous.
zachrose 1363 days ago [-]
I’ve been developing SMS chatbots and using my T-Mobile phone for testing. They will also drop messages that contain URLs, although the rules for which TLDs are allowed are hard to reverse engineer, much less rationalize. Last I remember, .club URLs are blocked, .com is allowed, and bit.ly is allowed.
foob 1363 days ago [-]
I recently ran into this sort of filtering when trying to share an AI Dungeon .link URL with a friend. It's kind of crazy that entire TLDs are blocked without any indication or warning.
vincentmarle 1363 days ago [-]
Hmm I suspect this could be related to Branch links, because their default deep link domain is app.link
willvarfar 1362 days ago [-]
Tangent: tell us about your dungeon! How does it work, are you happy with it etc? Links you can share?
Show HN of course!
ta1234567890 1363 days ago [-]
Verizon also blocks messages based on the urls they contain. Not sure about specific TLDs, but surely whole domains. Discovered this by running a service that sends a lot of messages through Twilio. Not sure if you would ever be notified of the block when sending from your phone.
In my opinion is not really to block spam, but instead to push message senders to buy the carrier's more expensive shortcode option.
rsync 1362 days ago [-]
... which can’t be reached from twilio, since twilio Numbers are not actual mobile numbers.
zachrose 1362 days ago [-]
What is it that can't be reached from Twilio? Carrier short codes?
rsync 1362 days ago [-]
Correct. Twilio does not give out any proper mobile phone numbers. Therefore you cannot send SMS from a twilio number to a short-code.
dogma1138 1363 days ago [-]
Are US carriers even allowed to do this?
Scoundreller 1363 days ago [-]
Bell and Telus in Canada we’re doing this. But only if your SMS contained the term « secure message ». Strange to say the least.
lgats 1362 days ago [-]
do you mean 'we are doing this' or 'were previously doing this' ?
Facebook Messenger does the same with some porn links.
wdr1 1362 days ago [-]
TL;DR: spam detection is hard
njarboe 1362 days ago [-]
Charge people not in your contact list 10 cents to message you. 5 cents goes to you and 5 cents to the carrier. Problem solved. I would love this for messages and phone calls (and emails while we are at it).
loeg 1363 days ago [-]
Tangentially related, Reddit deletes posts and suspends accounts for three days if the address "[redacted]" (rot13) is posted. (It's the not-very-secret address of the Seattle Mayor's giant lakeside house.)
TheAdamAndChe 1362 days ago [-]
Doxxing is disallowed...
freehunter 1362 days ago [-]
Yeah and Reddit’s definition of doxxing includes names, even of public figures, so the home address (secret or not) of a public figure is not going to be allowed under that same policy. That’s why you’ll see Twitter handles blacked out in Reddit posts, because otherwise the post will be deleted.
Rendered at 04:17:18 GMT+0000 (Coordinated Universal Time) with Vercel.
- Really poorly written spam detection.
- Failure to notify customers/no remediation procedure.
No doubt people will bring up "but then the spammers will know!!" Or similar, but honestly spammers are already limited by the cost of buying SIM cards ($5/ea), and I feel like customers being negatively impacted outweighs the minor benefit to spam-fighting (particularly when spammers could buy a single second number and detect this 100% of the time anyway).
Plus I'd be pretty upset if I was a customer paying for service, and I lost access to a part of that service for 10 days because I sent the word "butt" in a conversation. I'd feel particularly irritated if I wasn't told that my messages weren't delivered, and vital ones were just going into a void.
This is like dangling chum in the water, waiting for a big shark to chomp your leg, T-Mobile and whatever individual engineer came up with this.
Problem solved! https://www.aliexpress.com/item/4000124061983.html
My point was that most spam originates from people with SS7 access and not SIM cards. It can also come through low cost SMS providers but is short lived as it's blocked the moment it's discovered or there's a complaint.
[1] https://www.treasury.gov/resource-center/sanctions/sdn-list/...
it's up to you to figure out how to turn that into not selling to the wrong people and going to prison.
Some smart terrorist is going to legally to change their name to "Thank You" and screw PayPal :)
Good luck if someone sends you a payment for 'Cuban food' or 'Iranian Weapons of Mass Destruction'
Imagine the bullshit they've had to deal with, on many angles.
The way the attacker gained control of my phone number should have never been possible. I'm still a customer, why? Because there's no better alternative in the US, although I'm pondering Google Fi at the moment. Thoughts?
[0]: https://medium.com/@simon/mobile-twitter-hacked-please-help-...
If Google Pay suspects fraud, it locks your account. Google Fi isn't paid for. Google locks your phone number from being ported out forever. Empowered human support wouldn't be Googley, so it's usually locked out forever.
T-Mobile isn't very competent, but at least, they provide humans who can fix things, eventually, once they figure out what they're doing.
It makes me wonder if I really want them filtering 'spam' calls.
tinfoil hat maybe that's their end game!
https://en.wikipedia.org/wiki/Scunthorpe_problem
Show HN of course!
In my opinion is not really to block spam, but instead to push message senders to buy the carrier's more expensive shortcode option.