Ask HN: How to prevent abuse of free service costing money to website?

[rakjosh]

I run a website (https://freephonenum.com/send-text) that allows people to send FREE SMS worldwide. I started this service a little over 1 year ago to allow our remote dev team to test sending and receiving SMS to and from US number.

After a few months, I realized that a lot of people needed that service; I started getting organic traffic to my site.

But recently I've been seeing few people who are trying to abuse the system. They are sending 1000s of text using my website that costs me a lot of money. I still want to keep the service because it is useful for so many people, I don't want to shut down the service because of just a few evil people.

Here are a few things I tried that didn't work: 1. Google captcha 2. Restricted number of text that can be sent from one IP every day. 3. Don't allow people to send the same text more than 3 times a day. 4. Disabled error message on the site so the abuser would not know if the texts are actually going out or not (Always gives success message).

Things I know abuser is doing: 1. Changes IP address for each request.

2. Manually solves Captcha

3. Adds a random string at the start and end of the message (So that it's not treated as a duplicate message by my system)

4. Somehow the abuser is able to send a 1.5K text every hour (I'm not sure how). I know it's manual because there is like 15 seconds lag.

5. sample texts:

"KREDIT VSEM, LYuBIE SUMMI. Rabotaem s dolzhnikami! t. 89879141731 k1FpLt"

"KREDIT VSEM, LYuBIE SUMMI. Rabotaem s dolzhnikami! t. 89879141731 op0vF0"

[mikebos]

It may seem obvious, but add an registration through oauth providers like google and facebook. It should trim down the amount without a lot of impact I guess.

If all that abuse is in Russian you might just try to deny service if Russian language is used or add an extra hurdle like browser fingerprinting and rejecting the combo language + fingerprint within a timeframe.

Depending on your user demographic you could also use a reputation system for ip's. Trusted no delays, untrusted delayed for 10 minutes and if something similar is found within that timeframe (use regex) drop the message.

[dyeje]

This. Require auth, it also allows you to add stuff like rate limiting per account to further prevent abuse.

[neeksHN]

As a catch-all you could start regexing messages' content and deny the abuser if one of their common patterns matched -- you'll still be in a never-ending game of cat and mouse.

There's also the possibility of false positives, which might mean some of your users' beign messages get rejected. Over time you could event start to integrate ML and NLP, which would hopefully limit the amount of manual oversight needed to detect spam in the future

[peterjsmith]

Not sure if this is something you've tried or not. But Doing a fuzzy match on the text string might be a way to go. If there is more than 90% match on last 10 messages you can block the message that is being tried to be sent. You might need to think though other criteria to make sure you don't block legitimate texts being sent.

[Caballera]

Require registration. Block VPNs (as the people doing it are more likely trying to hide their true IP). If someone wants to use a VPN, require documenation. Be open about your limits.

But to be honest, the people that are abusing your system, more then likely they are doing it for financial gain, so it's likely their full time job, and they won't stop.

[mtmail]

You could try a time-wasting count-down after the captcha. The "send" button can only be clicked after 60 seconds passed and you check if the IP matches to make sure somebody is not using multiple tabs in their browser. Still, it seems those spammers are motivated and have time (or found somebody to outsource cheaply to).

[rakjosh]

IP is not something I can rely on, because looks like they have enough unique IP addresses to use. And like you said, motivated and a lot of time on their hand. I feel like adding that 60 seconds delay only make the UX bad for genuine users.

[creatornator]

Oauth was mentioned in some of these comments. I'd add to that to use generated API keys and rate limit requests per key. Or per user.

[n-gauge]

Have the text checked by a dictionary and if < 50% (or whatever is needed) fails then don't send the text.

[rakjosh]

I don't think I'll be able to do dictionary checks because people from different country use this, in their own languages. I get around 5-6K people every day from all around the globe.

It would be ideal, but very hard to implement for all different languages I think, unless I'm missing something.

[jklein11]

The attacker could just pull the text from a dictionary and bypass this check. Also as another commenter noted there could be legitimate traffic that is in another language.

[shoo]

Make it a paid service so that if volume increases you run at a profit

[gt2]

Require account signup/login with real cell number to register?

[nautical]

Do you mind sharing logs of abuse ?