14 comments

  • Someone1234 1 day ago

    There's two different but both problematic things here:

    - Really poorly written spam detection.

    - Failure to notify customers/no remediation procedure.

    No doubt people will bring up "but then the spammers will know!!" Or similar, but honestly spammers are already limited by the cost of buying SIM cards ($5/ea), and I feel like customers being negatively impacted outweighs the minor benefit to spam-fighting (particularly when spammers could buy a single second number and detect this 100% of the time anyway).

    Plus I'd be pretty upset if I was a customer paying for service, and I lost access to a part of that service for 10 days because I sent the word "butt" in a conversation. I'd feel particularly irritated if I wasn't told that my messages weren't delivered, and vital ones were just going into a void.

    • drtillberg 1 day ago

      For SaaS like Strava or something, I'm agnostic whether the notice should come before the shut-off alleging a TOS violation. For cellular service though, SMS is integral to life. 911 even accepts SMS. Imagine T-Mobile silently dropping 911 SMS communications because someone texted the wrong word? Which isn't even in the TOS?

      This is like dangling chum in the water, waiting for a big shark to chomp your leg, T-Mobile and whatever individual engineer came up with this.

      • Did anyone allege that sending SMS to 911 was affected?

        • edoceo 1 day ago

          No, we were just asked to imagine the effects of this poor implementation on emergency services.

          • t-writescode 1 day ago

            Which is something that should be considered before writing this stuff and hopefully a T-Mobile engineer reads Hacker News to be encouraged to think about that and check it.

      • makethetick 1 day ago

        Bulk SMS spam would most likely come from someone with direct signalling access and not from individual SIM cards which would be trivial to detect and block by the operator.

        • nullc 1 day ago

          > which would be trivial to detect and block by the operator.

          Problem solved! https://www.aliexpress.com/item/4000124061983.html

          • makethetick 1 day ago

            Wow, pretty inventive! You can get similar devices which plug into a computer and would be a lot easier.

          • jasonjayr 1 day ago

            It is trivial, even for someone not that technically oriented to send a mass SMS from Android, with the appropriate app. Since it's easier to sideload on Android, it would be even easier for a malicious spammer to pay people to install sketchy APK's that spam from the user's phone relentlessly.

            • makethetick 1 day ago

              This would be simple for the user to execute but it would very quickly be spotted by the operator as it's all from a single originating MSISDN. Spreading the load over many users like your latter example would be a lot harder to spot, as would spamming through multiple SMS providers as you're diluting it (but it might also get picked up by the provider e.g. Twilio, MessageBird etc).

              My point was that most spam originates from people with SS7 access and not SIM cards. It can also come through low cost SMS providers but is short lived as it's blocked the moment it's discovered or there's a complaint.

              • jasonjayr 1 day ago

                How does one even obtain SS7 access w/o a AUP forbidding this kind of abuse? Or are the Telco owners making more money not caring @ that connection level?

              • seba_dos1 20 hours ago

                What's more, all you need is a broadband dongle and you can send SMS with a simple script straight from your PC - but as others already said, it's hardly a real source of spam.

              • jcrawfordor 1 day ago

                I think there's an increasing amount of SMS spam being sent by random compromised consumer devices, which is probably what drove T-Mobile to take this sort of desperate measure. It would seem like notifying the customer is even more warranted in this case, though.

                • Geezus_42 1 day ago

                  The only SMS spam I ever get is from email addresses...

              • tyingq 1 day ago

                PayPal has a similar problem. They do really loose string matching on the OFAC list[1], for any data, in any payment field...even a comment. Match a magic string in a comment, and your PayPal account gets locked down in a way that's very hard to undo.

                [1] https://www.treasury.gov/resource-center/sanctions/sdn-list/...

                • vultour 1 day ago

                  Yeah this was a big thing back in the heyday of CSGO skin trading. Putting the word "damascus" into a transaction comment would get your account locked.

                  • myself248 1 day ago

                    Which seems inept, as "Damascus steel" is a sought-after material for knife blades.

                  • andybak 1 day ago

                    How loose is the string matching? That list looks full of incredibly common names from around the world.

                    • tyingq 1 day ago

                      It seems pretty damn loose, but of course, it's hard to test since the outcome ruins your PayPal account. I found this: https://m.imgur.com/a/RnpRm

                      • WrtCdEvrydy 1 day ago

                        that's what the SDN list really is, just some common names of people, organizations and countries.

                        it's up to you to figure out how to turn that into not selling to the wrong people and going to prison.

                        • tyingq 1 day ago

                          True, but that doesn't seem like a good excuse for a dumb grep-ish solution on all fields.

                          Some smart terrorist is going to legally to change their name to "Thank You" and screw PayPal :)

                      • WrtCdEvrydy 1 day ago

                        Because there's no downside to doing it this way while a lot of upside for 'being tough on terrorism'.

                        Good luck if someone sends you a payment for 'Cuban food' or 'Iranian Weapons of Mass Destruction'

                    • T-mobile is a joke. I lost my @simon Twitter account [0] because of T-mobile's and Twitter's utter incompetence, and it took me more than 3 months to regain control of it.

                      The way the attacker gained control of my phone number should have never been possible. I'm still a customer, why? Because there's no better alternative in the US, although I'm pondering Google Fi at the moment. Thoughts?

                      [0]: https://medium.com/@simon/mobile-twitter-hacked-please-help-...

                      • woofie11 1 day ago

                        If you don't mind losing your phone number forever, Google Fi is a great option!

                        If Google Pay suspects fraud, it locks your account. Google Fi isn't paid for. Google locks your phone number from being ported out forever. Empowered human support wouldn't be Googley, so it's usually locked out forever.

                        T-Mobile isn't very competent, but at least, they provide humans who can fix things, eventually, once they figure out what they're doing.

                        • organman91 1 day ago

                          It's just a single phone, but google fi has worked pretty well for my use case. I was impressed how well it worked when I went on vacation to Canada last year. If you don't need to have a half-dozen devices on one account there's really very little that gets you as much bang for your buck - unless I'm really burning through data my bill is usually $30/month.

                        • Hippocrates 1 day ago

                          This is a great reminder to switch from SMS to something that is e2e encrypted.

                          • gallego2007 1 day ago

                            I was thinking the exact same thing. I need to convince a few family members to ditch SMS... unfortunately some businesses (like apartment buildings) still use SMS to communicate, so it’ll probably be a while before we fully move away from this medium.

                          • timeinput 1 day ago

                            I ran into this a few months ago when texting the phrase "work from home" it was really strange. We rationalized it with the spam / phishing thought process, but it still seems wrong for the carriers to block messages so poorly.

                            It makes me wonder if I really want them filtering 'spam' calls.

                            tinfoil hat maybe that's their end game!

                            • dzhiurgis 12 hours ago

                              “Learn to code” is harassment on twitter

                            • jasode 1 day ago

                              From the scant details about the word "BELLY" triggering the blocks, it looks like some hypothesize it's a "Scunthorpe" type of programming bug:

                              https://en.wikipedia.org/wiki/Scunthorpe_problem

                              • jessaustin 1 day ago

                                I don't see "cunt" or any similar string anywhere in the string "belly". As mentioned at TFA, this is more likely some sort of naive Bayes filtering since "belly" is often seen in "lose belly fat fast!" etc.

                                • tyingq 1 day ago

                                  The article reads like it's much less sophisticated than Bayes. Perhaps just "x messages that have belly in them over y time period". Where either x is too small, or y is too big.

                                  • LanceH 1 day ago

                                    I would guess it is aimed as "reduce belly fat" spam.

                              • chevman 1 day ago

                                T-Mobile has also not been approving new short codes on their network since earlier this year. Frustrating for folks trying to execute legit SMS comms.

                                • toomuchtodo 1 day ago

                                  Use case(s)? I’ve have success working with financial services firms moving their comms from short code to push notifications in app. Always curious who is still using bulk SMS and for what.

                                  • ryukafalz 1 day ago

                                    As someone who dabbles in alternative mobile OSes (and would like to switch to one full-time again soon), it's frustrating when there isn't a fallback option to standard protocols. Thankfully email/SMS are still fairly ubiquitous, but I don't like the idea of that going away for something important like banking and being locked into one of the big two platforms.

                                    • toomuchtodo 1 day ago

                                      Godspeed. SMS is unlikely to ever improve, consider more durable alternatives.

                                      • ryukafalz 1 day ago

                                        Email is fine too! Or maybe RCS in the future, though I’m not sure if there’s a free RCS stack anywhere yet. But honestly, though I rarely use SMS for personal communication these days, it makes a pretty good fallback, and it’s damn near ubiquitous.

                                • zachrose 1 day ago

                                  I’ve been developing SMS chatbots and using my T-Mobile phone for testing. They will also drop messages that contain URLs, although the rules for which TLDs are allowed are hard to reverse engineer, much less rationalize. Last I remember, .club URLs are blocked, .com is allowed, and bit.ly is allowed.

                                  • foob 1 day ago

                                    I recently ran into this sort of filtering when trying to share an AI Dungeon .link URL with a friend. It's kind of crazy that entire TLDs are blocked without any indication or warning.

                                    • willvarfar 1 day ago

                                      Tangent: tell us about your dungeon! How does it work, are you happy with it etc? Links you can share?

                                      Show HN of course!

                                      • vincentmarle 1 day ago

                                        Hmm I suspect this could be related to Branch links, because their default deep link domain is app.link

                                      • ta1234567890 1 day ago

                                        Verizon also blocks messages based on the urls they contain. Not sure about specific TLDs, but surely whole domains. Discovered this by running a service that sends a lot of messages through Twilio. Not sure if you would ever be notified of the block when sending from your phone.

                                        In my opinion is not really to block spam, but instead to push message senders to buy the carrier's more expensive shortcode option.

                                        • rsync 1 day ago

                                          ... which can’t be reached from twilio, since twilio Numbers are not actual mobile numbers.

                                          • zachrose 1 day ago

                                            What is it that can't be reached from Twilio? Carrier short codes?

                                            • rsync 1 day ago

                                              Correct. Twilio does not give out any proper mobile phone numbers. Therefore you cannot send SMS from a twilio number to a short-code.

                                      • dogma1138 1 day ago

                                        Are US carriers even allowed to do this?

                                        • Scoundreller 1 day ago

                                          Bell and Telus in Canada we’re doing this. But only if your SMS contained the term « secure message ». Strange to say the least.

                                          • lgats 1 day ago

                                            do you mean 'we are doing this' or 'were previously doing this' ?

                                          • dredmorbius 1 day ago
                                            • speedgoose 1 day ago

                                              Facebook Messenger does the same with some porn links.

                                              • wdr1 1 day ago

                                                TL;DR: spam detection is hard

                                                • njarboe 1 day ago

                                                  Charge people not in your contact list 10 cents to message you. 5 cents goes to you and 5 cents to the carrier. Problem solved. I would love this for messages and phone calls (and emails while we are at it).

                                                • loeg 1 day ago

                                                  Tangentially related, Reddit deletes posts and suspends accounts for three days if the address "[redacted]" (rot13) is posted. (It's the not-very-secret address of the Seattle Mayor's giant lakeside house.)

                                                  • TheAdamAndChe 1 day ago

                                                    Doxxing is disallowed...

                                                    • freehunter 1 day ago

                                                      Yeah and Reddit’s definition of doxxing includes names, even of public figures, so the home address (secret or not) of a public figure is not going to be allowed under that same policy. That’s why you’ll see Twitter handles blacked out in Reddit posts, because otherwise the post will be deleted.