Hacker News new | past | comments | ask | show | jobs | submit login
T-Mobile: Are you blocking specific words and suspending accounts? (reddit.com)
167 points by _vvdf 12 months ago | hide | past | favorite | 57 comments

There's two different but both problematic things here:

- Really poorly written spam detection.

- Failure to notify customers/no remediation procedure.

No doubt people will bring up "but then the spammers will know!!" Or similar, but honestly spammers are already limited by the cost of buying SIM cards ($5/ea), and I feel like customers being negatively impacted outweighs the minor benefit to spam-fighting (particularly when spammers could buy a single second number and detect this 100% of the time anyway).

Plus I'd be pretty upset if I was a customer paying for service, and I lost access to a part of that service for 10 days because I sent the word "butt" in a conversation. I'd feel particularly irritated if I wasn't told that my messages weren't delivered, and vital ones were just going into a void.

For SaaS like Strava or something, I'm agnostic whether the notice should come before the shut-off alleging a TOS violation. For cellular service though, SMS is integral to life. 911 even accepts SMS. Imagine T-Mobile silently dropping 911 SMS communications because someone texted the wrong word? Which isn't even in the TOS?

This is like dangling chum in the water, waiting for a big shark to chomp your leg, T-Mobile and whatever individual engineer came up with this.

Did anyone allege that sending SMS to 911 was affected?

No, we were just asked to imagine the effects of this poor implementation on emergency services.

Which is something that should be considered before writing this stuff and hopefully a T-Mobile engineer reads Hacker News to be encouraged to think about that and check it.

Bulk SMS spam would most likely come from someone with direct signalling access and not from individual SIM cards which would be trivial to detect and block by the operator.

> which would be trivial to detect and block by the operator.

Problem solved! https://www.aliexpress.com/item/4000124061983.html

Wow, pretty inventive! You can get similar devices which plug into a computer and would be a lot easier.

It is trivial, even for someone not that technically oriented to send a mass SMS from Android, with the appropriate app. Since it's easier to sideload on Android, it would be even easier for a malicious spammer to pay people to install sketchy APK's that spam from the user's phone relentlessly.

This would be simple for the user to execute but it would very quickly be spotted by the operator as it's all from a single originating MSISDN. Spreading the load over many users like your latter example would be a lot harder to spot, as would spamming through multiple SMS providers as you're diluting it (but it might also get picked up by the provider e.g. Twilio, MessageBird etc).

My point was that most spam originates from people with SS7 access and not SIM cards. It can also come through low cost SMS providers but is short lived as it's blocked the moment it's discovered or there's a complaint.

How does one even obtain SS7 access w/o a AUP forbidding this kind of abuse? Or are the Telco owners making more money not caring @ that connection level?

What's more, all you need is a broadband dongle and you can send SMS with a simple script straight from your PC - but as others already said, it's hardly a real source of spam.

I think there's an increasing amount of SMS spam being sent by random compromised consumer devices, which is probably what drove T-Mobile to take this sort of desperate measure. It would seem like notifying the customer is even more warranted in this case, though.

The only SMS spam I ever get is from email addresses...

PayPal has a similar problem. They do really loose string matching on the OFAC list[1], for any data, in any payment field...even a comment. Match a magic string in a comment, and your PayPal account gets locked down in a way that's very hard to undo.

[1] https://www.treasury.gov/resource-center/sanctions/sdn-list/...

Yeah this was a big thing back in the heyday of CSGO skin trading. Putting the word "damascus" into a transaction comment would get your account locked.

Which seems inept, as "Damascus steel" is a sought-after material for knife blades.

How loose is the string matching? That list looks full of incredibly common names from around the world.

It seems pretty damn loose, but of course, it's hard to test since the outcome ruins your PayPal account. I found this: https://m.imgur.com/a/RnpRm

that's what the SDN list really is, just some common names of people, organizations and countries.

it's up to you to figure out how to turn that into not selling to the wrong people and going to prison.

True, but that doesn't seem like a good excuse for a dumb grep-ish solution on all fields.

Some smart terrorist is going to legally to change their name to "Thank You" and screw PayPal :)

Because there's no downside to doing it this way while a lot of upside for 'being tough on terrorism'.

Good luck if someone sends you a payment for 'Cuban food' or 'Iranian Weapons of Mass Destruction'

There’s already a story about Venmo seizing money from someone who used “ISIS beer funds” in a comment: https://www.inverse.com/article/13700-i-wrote-isis-beer-fund...

USA Family owned dance studio: https://imgur.com/a/QjQYCst

Imagine the bullshit they've had to deal with, on many angles.

This is a great reminder to switch from SMS to something that is e2e encrypted.

I was thinking the exact same thing. I need to convince a few family members to ditch SMS... unfortunately some businesses (like apartment buildings) still use SMS to communicate, so it’ll probably be a while before we fully move away from this medium.

T-mobile is a joke. I lost my @simon Twitter account [0] because of T-mobile's and Twitter's utter incompetence, and it took me more than 3 months to regain control of it.

The way the attacker gained control of my phone number should have never been possible. I'm still a customer, why? Because there's no better alternative in the US, although I'm pondering Google Fi at the moment. Thoughts?

[0]: https://medium.com/@simon/mobile-twitter-hacked-please-help-...

If you don't mind losing your phone number forever, Google Fi is a great option!

If Google Pay suspects fraud, it locks your account. Google Fi isn't paid for. Google locks your phone number from being ported out forever. Empowered human support wouldn't be Googley, so it's usually locked out forever.

T-Mobile isn't very competent, but at least, they provide humans who can fix things, eventually, once they figure out what they're doing.

It's just a single phone, but google fi has worked pretty well for my use case. I was impressed how well it worked when I went on vacation to Canada last year. If you don't need to have a half-dozen devices on one account there's really very little that gets you as much bang for your buck - unless I'm really burning through data my bill is usually $30/month.

I ran into this a few months ago when texting the phrase "work from home" it was really strange. We rationalized it with the spam / phishing thought process, but it still seems wrong for the carriers to block messages so poorly.

It makes me wonder if I really want them filtering 'spam' calls.

tinfoil hat maybe that's their end game!

“Learn to code” is harassment on twitter

From the scant details about the word "BELLY" triggering the blocks, it looks like some hypothesize it's a "Scunthorpe" type of programming bug:


I don't see "cunt" or any similar string anywhere in the string "belly". As mentioned at TFA, this is more likely some sort of naive Bayes filtering since "belly" is often seen in "lose belly fat fast!" etc.

The article reads like it's much less sophisticated than Bayes. Perhaps just "x messages that have belly in them over y time period". Where either x is too small, or y is too big.

I would guess it is aimed as "reduce belly fat" spam.

T-Mobile has also not been approving new short codes on their network since earlier this year. Frustrating for folks trying to execute legit SMS comms.

Use case(s)? I’ve have success working with financial services firms moving their comms from short code to push notifications in app. Always curious who is still using bulk SMS and for what.

As someone who dabbles in alternative mobile OSes (and would like to switch to one full-time again soon), it's frustrating when there isn't a fallback option to standard protocols. Thankfully email/SMS are still fairly ubiquitous, but I don't like the idea of that going away for something important like banking and being locked into one of the big two platforms.

Godspeed. SMS is unlikely to ever improve, consider more durable alternatives.

Email is fine too! Or maybe RCS in the future, though I’m not sure if there’s a free RCS stack anywhere yet. But honestly, though I rarely use SMS for personal communication these days, it makes a pretty good fallback, and it’s damn near ubiquitous.

I’ve been developing SMS chatbots and using my T-Mobile phone for testing. They will also drop messages that contain URLs, although the rules for which TLDs are allowed are hard to reverse engineer, much less rationalize. Last I remember, .club URLs are blocked, .com is allowed, and bit.ly is allowed.

I recently ran into this sort of filtering when trying to share an AI Dungeon .link URL with a friend. It's kind of crazy that entire TLDs are blocked without any indication or warning.

Hmm I suspect this could be related to Branch links, because their default deep link domain is app.link

Tangent: tell us about your dungeon! How does it work, are you happy with it etc? Links you can share?

Show HN of course!

Verizon also blocks messages based on the urls they contain. Not sure about specific TLDs, but surely whole domains. Discovered this by running a service that sends a lot of messages through Twilio. Not sure if you would ever be notified of the block when sending from your phone.

In my opinion is not really to block spam, but instead to push message senders to buy the carrier's more expensive shortcode option.

... which can’t be reached from twilio, since twilio Numbers are not actual mobile numbers.

What is it that can't be reached from Twilio? Carrier short codes?

Correct. Twilio does not give out any proper mobile phone numbers. Therefore you cannot send SMS from a twilio number to a short-code.

Are US carriers even allowed to do this?

Bell and Telus in Canada we’re doing this. But only if your SMS contained the term « secure message ». Strange to say the least.

do you mean 'we are doing this' or 'were previously doing this' ?

Facebook Messenger does the same with some porn links.

TL;DR: spam detection is hard

Charge people not in your contact list 10 cents to message you. 5 cents goes to you and 5 cents to the carrier. Problem solved. I would love this for messages and phone calls (and emails while we are at it).


Doxxing is disallowed...

Yeah and Reddit’s definition of doxxing includes names, even of public figures, so the home address (secret or not) of a public figure is not going to be allowed under that same policy. That’s why you’ll see Twitter handles blacked out in Reddit posts, because otherwise the post will be deleted.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact