There's two different but both problematic things here:
- Really poorly written spam detection.
- Failure to notify customers/no remediation procedure.
No doubt people will bring up "but then the spammers will know!!" Or similar, but honestly spammers are already limited by the cost of buying SIM cards ($5/ea), and I feel like customers being negatively impacted outweighs the minor benefit to spam-fighting (particularly when spammers could buy a single second number and detect this 100% of the time anyway).
Plus I'd be pretty upset if I was a customer paying for service, and I lost access to a part of that service for 10 days because I sent the word "butt" in a conversation. I'd feel particularly irritated if I wasn't told that my messages weren't delivered, and vital ones were just going into a void.
For SaaS like Strava or something, I'm agnostic whether the notice should come before the shut-off alleging a TOS violation. For cellular service though, SMS is integral to life. 911 even accepts SMS. Imagine T-Mobile silently dropping 911 SMS communications because someone texted the wrong word? Which isn't even in the TOS?
This is like dangling chum in the water, waiting for a big shark to chomp your leg, T-Mobile and whatever individual engineer came up with this.
It is trivial, even for someone not that technically oriented to send a mass SMS from Android, with the appropriate app. Since it's easier to sideload on Android, it would be even easier for a malicious spammer to pay people to install sketchy APK's that spam from the user's phone relentlessly.
This would be simple for the user to execute but it would very quickly be spotted by the operator as it's all from a single originating MSISDN.
Spreading the load over many users like your latter example would be a lot harder to spot, as would spamming through multiple SMS providers as you're diluting it (but it might also get picked up by the provider e.g. Twilio, MessageBird etc).
My point was that most spam originates from people with SS7 access and not SIM cards. It can also come through low cost SMS providers but is short lived as it's blocked the moment it's discovered or there's a complaint.
I think there's an increasing amount of SMS spam being sent by random compromised consumer devices, which is probably what drove T-Mobile to take this sort of desperate measure. It would seem like notifying the customer is even more warranted in this case, though.
PayPal has a similar problem. They do really loose string matching on the OFAC list, for any data, in any payment field...even a comment. Match a magic string in a comment, and your PayPal account gets locked down in a way that's very hard to undo.
T-mobile is a joke. I lost my @simon Twitter account  because of T-mobile's and Twitter's utter incompetence, and it took me more than 3 months to regain control of it.
The way the attacker gained control of my phone number should have never been possible. I'm still a customer, why? Because there's no better alternative in the US, although I'm pondering Google Fi at the moment. Thoughts?
If you don't mind losing your phone number forever, Google Fi is a great option!
If Google Pay suspects fraud, it locks your account. Google Fi isn't paid for. Google locks your phone number from being ported out forever. Empowered human support wouldn't be Googley, so it's usually locked out forever.
T-Mobile isn't very competent, but at least, they provide humans who can fix things, eventually, once they figure out what they're doing.
It's just a single phone, but google fi has worked pretty well for my use case. I was impressed how well it worked when I went on vacation to Canada last year. If you don't need to have a half-dozen devices on one account there's really very little that gets you as much bang for your buck - unless I'm really burning through data my bill is usually $30/month.
I was thinking the exact same thing. I need to convince a few family members to ditch SMS... unfortunately some businesses (like apartment buildings) still use SMS to communicate, so it’ll probably be a while before we fully move away from this medium.
I ran into this a few months ago when texting the phrase "work from home" it was really strange. We rationalized it with the spam / phishing thought process, but it still seems wrong for the carriers to block messages so poorly.
It makes me wonder if I really want them filtering 'spam' calls.
I don't see "cunt" or any similar string anywhere in the string "belly". As mentioned at TFA, this is more likely some sort of naive Bayes filtering since "belly" is often seen in "lose belly fat fast!" etc.
As someone who dabbles in alternative mobile OSes (and would like to switch to one full-time again soon), it's frustrating when there isn't a fallback option to standard protocols. Thankfully email/SMS are still fairly ubiquitous, but I don't like the idea of that going away for something important like banking and being locked into one of the big two platforms.
Email is fine too! Or maybe RCS in the future, though I’m not sure if there’s a free RCS stack anywhere yet. But honestly, though I rarely use SMS for personal communication these days, it makes a pretty good fallback, and it’s damn near ubiquitous.
I’ve been developing SMS chatbots and using my T-Mobile phone for testing. They will also drop messages that contain URLs, although the rules for which TLDs are allowed are hard to reverse engineer, much less rationalize. Last I remember, .club URLs are blocked, .com is allowed, and bit.ly is allowed.
Verizon also blocks messages based on the urls they contain. Not sure about specific TLDs, but surely whole domains. Discovered this by running a service that sends a lot of messages through Twilio. Not sure if you would ever be notified of the block when sending from your phone.
In my opinion is not really to block spam, but instead to push message senders to buy the carrier's more expensive shortcode option.
Charge people not in your contact list 10 cents to message you. 5 cents goes to you and 5 cents to the carrier. Problem solved. I would love this for messages and phone calls (and emails while we are at it).
Tangentially related, Reddit deletes posts and suspends accounts for three days if the address "[redacted]" (rot13) is posted. (It's the not-very-secret address of the Seattle Mayor's giant lakeside house.)
Yeah and Reddit’s definition of doxxing includes names, even of public figures, so the home address (secret or not) of a public figure is not going to be allowed under that same policy. That’s why you’ll see Twitter handles blacked out in Reddit posts, because otherwise the post will be deleted.