
Ask HN: How to prevent abuse of free service costing money to website? - rakjosh
I run a website (https:&#x2F;&#x2F;freephonenum.com&#x2F;send-text) that allows people to send FREE SMS worldwide. I started this service a little over 1 year ago to allow our remote dev team to test sending and receiving SMS to and from US number.<p>After a few months, I realized that a lot of people needed that service; I started getting organic traffic to my site.<p>But recently I&#x27;ve been seeing few people who are trying to abuse the system. They are sending 1000s of text using my website that costs me a lot of money. I still want to keep the service because it is useful for so many people, I don&#x27;t want to shut down the service because of just a few evil people.<p>Here are a few things I tried that didn&#x27;t work:
1. Google captcha
2. Restricted number of text that can be sent from one IP every day.
3. Don&#x27;t allow people to send the same text more than 3 times a day.
4. Disabled error message on the site so the abuser would not know if the texts are actually going out or not (Always gives success message).<p>Things I know abuser is doing:
1. Changes IP address for each request.<p>2. Manually solves Captcha<p>3. Adds a random string at the start and end of the message (So that it&#x27;s not treated as a duplicate message by my system)<p>4. Somehow the abuser is able to send a 1.5K text every hour (I&#x27;m not sure how). I know it&#x27;s manual because there is like 15 seconds lag.<p>5. sample texts:<p>&quot;KREDIT VSEM, LYuBIE SUMMI. Rabotaem s dolzhnikami! t. 89879141731 k1FpLt&quot;<p>&quot;KREDIT VSEM, LYuBIE SUMMI. Rabotaem s dolzhnikami! t. 89879141731 op0vF0&quot;
======
mikebos
It may seem obvious, but add an registration through oauth providers like
google and facebook. It should trim down the amount without a lot of impact I
guess.

If all that abuse is in Russian you might just try to deny service if Russian
language is used or add an extra hurdle like browser fingerprinting and
rejecting the combo language + fingerprint within a timeframe.

Depending on your user demographic you could also use a reputation system for
ip's. Trusted no delays, untrusted delayed for 10 minutes and if something
similar is found within that timeframe (use regex) drop the message.

~~~
dyeje
This. Require auth, it also allows you to add stuff like rate limiting per
account to further prevent abuse.

------
neeksHN
As a catch-all you could start regexing messages' content and deny the abuser
if one of their common patterns matched -- you'll still be in a never-ending
game of cat and mouse.

There's also the possibility of false positives, which might mean some of your
users' beign messages get rejected. Over time you could event start to
integrate ML and NLP, which would hopefully limit the amount of manual
oversight needed to detect spam in the future

------
peterjsmith
Not sure if this is something you've tried or not. But Doing a fuzzy match on
the text string might be a way to go. If there is more than 90% match on last
10 messages you can block the message that is being tried to be sent. You
might need to think though other criteria to make sure you don't block
legitimate texts being sent.

------
Caballera
Require registration. Block VPNs (as the people doing it are more likely
trying to hide their true IP). If someone wants to use a VPN, require
documenation. Be open about your limits.

But to be honest, the people that are abusing your system, more then likely
they are doing it for financial gain, so it's likely their full time job, and
they won't stop.

------
mtmail
You could try a time-wasting count-down after the captcha. The "send" button
can only be clicked after 60 seconds passed and you check if the IP matches to
make sure somebody is not using multiple tabs in their browser. Still, it
seems those spammers are motivated and have time (or found somebody to
outsource cheaply to).

~~~
rakjosh
IP is not something I can rely on, because looks like they have enough unique
IP addresses to use. And like you said, motivated and a lot of time on their
hand. I feel like adding that 60 seconds delay only make the UX bad for
genuine users.

------
creatornator
Oauth was mentioned in some of these comments. I'd add to that to use
generated API keys and rate limit requests per key. Or per user.

------
n-gauge
Have the text checked by a dictionary and if < 50% (or whatever is needed)
fails then don't send the text.

~~~
rakjosh
I don't think I'll be able to do dictionary checks because people from
different country use this, in their own languages. I get around 5-6K people
every day from all around the globe.

It would be ideal, but very hard to implement for all different languages I
think, unless I'm missing something.

------
shoo
Make it a paid service so that if volume increases you run at a profit

------
gt2
Require account signup/login with real cell number to register?

------
nautical
Do you mind sharing logs of abuse ?

