[humanistbot]

> One surprising side effect of having a .xyz domain is that the mere inclusion of .xyz inside of a text message will result in a silent delivery failure for many providers.

This is wild to me. Tested it out myself and I couldn't send an SMS with a spot.xyz link to/from Google Voice <-> T-Mobile. And no "failed delivery" notice either, just a silent failure. And yet I still get so many texts that are obviously spam or phishing attempts.

[krono]

Blocking of messages/emails and blanket email server/domain/extension blacklisting is the same as a postal service not delivering mail to or from a particular entity/street/town.

Doing so silently and without a valid and case-specific reason should not be legally allowed.

Edit: Added "street/town" to analogy, and "case-specific" before reason

[maxwell]

The FCC classified SMS/MMS as unregulated, filterable "information services" rather than regulated "telecommunications services".

https://www.fiercewireless.com/wireless/sms-mms-deemed-infor...

[krono]

They should really update the "Mission and strategy" chapter on their Wikipedia page [1]. In particular the part about "Protecting Consumers & Public Safety" seems horribly outdated!

I will have to look up how this works in the EU and here in The Netherlands. Something to do for the weekend.

[1] https://en.wikipedia.org/wiki/Federal_Communications_Commiss...

[wikidani]

I really would like to see what was the legal reason behind that, I know the US has issues with gov't agencies using their opinions as law but I thought mail was constitutionally protected?

[maxwell]

The FCC just makes decisions, we're talking regulations here, not laws. They justified it with "preventing spam" and enabling competition with unregulated OTT apps.

I'm glad that Twilio fought for Title II governance: https://ecfsapi.fcc.gov/file/60001324418.pdf

Where was everyone else?

As far as the sanctity of the U.S. Mail, it only applies to sealed envelopes/packages, and Congress can ban items from the mail (e.g. lottery pamphlets, spurious tokens, gasoline, etc.)

https://supreme.justia.com/cases/federal/us/96/727/

[wikidani]

Doesn't congress make a law saying breaking x regulation carries y penalty and at the same time gives the agency power to decide what constitutes breaking x? I know for a fact that BATFE does this rather frequently. Also, thanks for the clarification about the secrecy of US mail. I apreciate it

[duskwuff]

You'd be getting an unbelievable amount of SMS spam if carriers weren't allowed to block messages. There's a lot of bad actors out there.

[aquark]

We've run into this issue with replies to texts that the user sent first.

Telecom spam filtering seems to be a ridiculously primitive and wide net. I can't imagine a valid use case for dropping a text sent to a number when that number just sent you a text a few seconds before.

I don't understand why SMS spam has such a big issue with false positives compared to email spam when emails are practically free to send but SMS is much more costly.

(Yes, I know there are a lot of false positives on email too ... but we run into false positive SMS spam issues a lot even though it feels like it should be a much simpler problem to solve).

[Veen]

Perhaps their blocking systems are stateless, i.e they don't bother doing a lookup of communication histories because it's expensive when you're dealing with millions of texts an hour. They just run each one through a bunch of rules and drop matches.

[skrtskrt]

Seconded, having worked in this space I can assure everyone that there are multiple orders of magnitude more (attempted) spam SMS than legitimate SMS.

[silisili]

I believe that, completely. But keyword silently blocking is an objectively bad approach. Tell the sender it failed if you're so keen to do so. Or tag it with a big POTENTIAL SPAM at the beginning of the message and send it. Or literally any of the dozens of smarter ways of content filtering than (if .xyz in y).

[Zuider]

> Tell the sender it failed...

But if the sender is a bad actor, they can just keep testing until they succeed, which will make fraud worse.

[account42]

Apparently sometimes the sender is not a bad actor.

[honkdaddy]

Very interesting. I definitely get phishing SMS messages from time to time, but I didn't realize these were some of the very few which actually made it through. Any idea how these bad actors are able to send out these massive batches of spam SMS? My naiive guess would be bulk purchasing disposable SIMs but I imagine it's more sophisticated?

[skrtskrt]

It's whack-a-mole where game is skewed wildly towards the moles.

Basically there are tons of VOIP companies, with varying levels of give-a-shit and spam detection capabilities.

Generally they are incentivized to let people self-serve on their platform - spin up quickly and start running traffic, or blasting spam, whatever. Especially if you're a small company, you're probably more likely to look the other way for a bit if someone is spending money on your platform, until regulators call, and you can be like "ok we looked into it and shut them down". Also you don't want to be overly aggressive, because what if a great customer comes onto your platform, loves the ease of setup, and starts running legitimate traffic, then you shut them down because they were triggered by whatever crappy spam heuristics your small company came up with, and the customer is gone to another platform where they don't have to deal with that.

Then the company/group running the traffic moves onto other VOIP providers until they get a bad enough name or push the envelope so much that no one will take them.

Then they just create a new "company" that no one recognizes the name of, and start again.

Honestly I think an open sourcing of spam detection heuristics and algorithms would be a massive help, but companies that are good at this obviously see it as a competitive advantage, just like the email space - for example if Twilio is great at keeping spam off their platform (no idea if they are, but they would have the most resources to do so), then all numbers registered with Twilio are less likely to get flagged/blocked downstream - all Twilio customers benefit. Twilio can say "any number you buy with us will be considered clean by downstream parties, no need to worry about getting flagged/blocked, then having to change the numbers you use for your business to communicate with customers, which could be saved in their phone already, etc."

The patterns spam takes vary wildly, often being specific to telecom laws and practices in specific jurisdictions, so it really is a tough problem. If an algorithm flags spam, you often want to then reach out to the customer and try to understand if there's a legitimate reason for the traffic patterns, etc. So there's a layer of customer relations beyond the algorithms that's also tough to scale.

[GoblinSlayer]

A simple solution: forward suspicious messages to a configured email address and let it be handled there.

[dvtrn]

Lately one doesn’t even need a SIM card, instead SMS via VoIP or a SIP trunk and bulk-purchased phone numbers

[account42]

> multiple orders of magnitude more (attempted) spam SMS

Are those actually spam messages or messages "detected" as spam.

[reginold]

I just saw this in another thread but: "label, not remove" is a better philosophy. I want to receive every message addressed to me.

Enable me to be the judge and get out of the way.

[noduerme]

There's already an opt-out legal framework in place for marketing calls. Mass sending SMS spam to opt-outs is illegal. Prosecute the crime. It makes zero sense to try to guess from content.

[seph-reed]

So put it in a spam folder.

If I had a spam texts folder that showed me everything I was being blocked from, I'd both appreciate it and not feel this massive breach of trust that things being sent to me are being completely ignored by a third party system.

The system that does this is absolutely primed for censorship, and we have no way to know it's not being used.

[duskwuff]

> So put it in a spam folder.

1) Neither the SMS protocol nor any phone I've ever seen has any mechanism to file messages in "folders".

2) Processing SMS messages and delivering them to subscribers has a cost. Doing so for high-volume junk messages would place a significant burden on carriers.

3) Most carriers used to charge subscribers for receiving SMS messages. Some still do! Charging subscribers to receive spam SMS messages would be, quite rightly, called out as inappropriate.

[tsimionescu]

I would add 4) feature phones and SIM cards have extremely low SMS storage capacities, around 100 or so max.

[sellyme]

> 1) Neither the SMS protocol nor any phone I've ever seen has any mechanism to file messages in "folders".

My phone (ROG Phone 3 w/ Android 11) automatically flags spammy texts into a "Spam & Blocked" folder, I assumed this was a stock Android feature - is it not?

[gsich]

1 and 2: true (to a degree, phones sort messages by sender which is a folder), but if a SMS already reached the provider they have the data. No need to send spam to the client. Instead display the SMS on some webinterface the customer can access. Or email it.

[seph-reed]

Then put it behind a config setting.

Or let me view it through some other means.

I'm not opposed to spam filtration as a user default, but doing so silently without any indication of what is being filtered or ability to verify it is working is not acceptable for such a vital messaging system.

[throwaway09223]

No, I'd just be filtering it client-side -- which is the only way it should work in the first place.

Providers should be legally prohibited from intercepting and dropping messages.

[dietr1ch]

I wonder if that's why he mentions "without a valid reason".

[ceejayoz]

"We get a lot of spam from those" would fall well within a vaguely defined "valid reason", I'd think.

(Most of my SMS spam comes from .info domains.)

[Spare_account]

>Most of my SMS spam comes from .info domains

Do you mean that the SMS messages contain links to .info domains?

[kafkaIncarnate]

I've personally noticed a lot of phone text spam being FROM email addresses recently. I think they are just abusing some feature in MMS, though, not SMS. It's weird seeing a list of phone numbers (usually SMS two-factor), some contacts' names that I have entered in, then a ton of random email addresses on my texting app (standard Android Messages app).

[ceejayoz]

Yes.

[thayne]

It's actually worse than that. It isn't blocked because of the sender or recipient, but because of the content. That would be like the postal service reading your mail and deciding that because of an address in the text of a letter, it shouldn't be delivered.

[weeblewobble]

Amusing analogy. The postal service's unwillingness or inability to do just that has severely damaged their utility. If the USPS had a junk-filtering option I'd sign up tonight. Perversely, the postal system seems to embrace junk mail (e.g. if you sign up for address forwarding the USPS sends you a fat envelope full of junk mail as a "confirmation")

[thayne]

I wouldn't. I mean sure, it would be nice not to get so much junk mail. But I personally don't think it is worth the risk of important mail like bills, tax info, new credit cards, etc. as accidentally getting flagged as spam. It also increases how much you have to trust the postal service.

[bogidon]

I like to chime in with this one when possible (due to a deep resentment for credit card offer spam). In case you didn’t know, you can opt out of the credit industry’s vast marketing machinery.

It’s a bit obtuse, as you’d expect from the bureaus, but I am thankful for this bit of regulation: https://www.consumer.ftc.gov/articles/prescreened-credit-and...

[tomc1985]

The USPS will likely not do anything to disrupt one of its largest sources of revenue

[mdavis6890]

The problem is that just receiving the message is in-and-of itself bad for the end user. It's not the volume you think (assuming the other poster is accurate about relative volumes) - it's far, far more. Imagine getting 1000 SMS/day that all have a "spam" warning attached, or worse, no warning at all. You'd just stop getting any value from SMS at all, and ignore it.

I mean, going back to the postal service - even the weekly pile of "here, throw this away for me." dead trees we receive (in the US) is mildly irritating. Imagine THAT x 1000!

I'm grateful for the silent block in this case. I mean, my social security number is being canceled, I'm about to be arrested by the IRS, the FBI found a suspicious package with my personal information in it and my car warranty (didn't know I had one) is up for renewal. And that's just this morning. What more can I stand? One of these days I'll press 1 out of desperation...

Also I hate govt/big-corp censorship as much as the next person, but none of this seems remotely political or ideological. And consider the alternative.

[rsync]

"I'm grateful for the silent block in this case."

That's not the issue - the issue is not alerting the sender that the message has failed.

It's not a big deal if the receiver never receives the message - we can find a different way of reaching out or fix the content problem or whatever. But we never find out. As far as the sender is concerned, the message succeeded.

This is a problem and the very bad spam heuristics employed by even the most competent actors (gmail, for instance) mean that anyone can be impacted by this.

[dcow]

Without any indication? How about

   WE THINK THIS MESSAGE IS SPAM
   _tap to read anyway_

[dspillett]

You missed the mentions of scale in the post you replied to (and elsewhere in the thread). Imaging needing to hit that or delete tens of times, maybe hundreds, maybe more, for every non-spam message you receive. You'd soon get sick of it. You'd soon accidentally delete, or otherwise miss, an important message in amongst the plethora of junk.

[xenocyon]

As a consumer, I can see both sides of this. On the one hand, I like energetic spam blocking without fear of legal liability, even if there are occasionally a few false positives. On the other, I do not want ISPs/telecoms to be the arbiters of traffic (net neutrality).

The net-neutral solution is for ISPs/telecoms to not spam-block, but rather have spam-blocking be an optional, additional, layer that the consumer can choose at will, or not have at all. But the problem with that solution is that it requires the consumer to do extra work to obtain spam protection, and the consumer would not be protected by default. It also means extra work by all parties delivering spam messages. Unless spam ceases or things otherwise change, I think the clunky solution we currently have is fine for the most part.

[dane-pgp]

> the consumer would not be protected by default.

Then make it set to "on" by default, and if more than 50% of customers switch it off then change the default.

I also think that this should be a requirement for social media. You should be able to opt out of separate filters for "spam", "misinformation", "breast-feeding", and whatever other reasons a social network has for banning legally protected speech.

[SllX]

In effect, sure, but in implementation these aren’t comparable. Postal services usually come with monopolies and mandates that ISPs, telecoms and email servers usually don’t.

USPS has a monopoly on first-class mail in the US and a Congressional mandate to deliver to every address.

[account42]

> telecoms and email servers usually don’t

Telecoms get a (local) monopoly on parts of the radio spectrum.

[SllX]

And they exist in competition with other telecoms who have different parts of the spectrum, wired service providers and Satellite service providers.

USPS has no direct competition for first-class mail and they have a monopoly over your mailbox (if you’re in the US).

[deepstack]

Yikes, sounds like censorship for whole TLD.

[iconjack]

It was wild to me too. I have an .xyz domain, which seemed appropriate for a non-commercial math site. I'd try to send links of math experiments to friends and colleagues via SMS, so they could tell me if they worked right on their phones or not. Can't tell you how much confusion and frustration it caused that the links were simply not being delivered, though all the conversation around the links went through just fine. No error was reported on either end. A year or so ago, I did a lot of searching trying to find some explanation of this bizarre behavior, but found literally nothing. It's nice to know I'm not crazy, at least. Is there a published list of what domains are not allowed to go through?

[schleck8]

> which seemed appropriate for a non-commercial math site

They are used by large cooperations too. The Alphabet domain is abc.xyz. Science Corp's is science.xyz.

[mhh__]

I didn't know about abc.xyz, that's a really nice URL

[samspenc]

Quite likely only investors in Google / Alphabet stock know that site and have it bookmarked because that's where Alphabet publishes its quarterly earnings. I also guess for the same reason, it only gets significant traffic once a quarter during earnings season.

[lrem]

I like to think of it as Ruth's blog ;)

[GoblinSlayer]

SMS has a delivery confirmation feature, my phone indicates delivered and undelivered messages, so you can tell what wasn't delivered.

[blendergeek]

I have this same problem with "obscure" .net domains. My text messages are silently dropped.

The only work around I found is to not include http://, just use the bare domain.

Personally, I find this behavior of my SMS provider reprehensible.

[_xy8h]

I ran into this recently even on Facebook Messenger. A friend of mine was hunting for a short domain name and I had a list of some three character .net and .org domains I recently had found that were available.

Cut and pasted the list and the message wouldn't send.

Narrowed it down to one. Typed just the bare domain. Wouldn't go through. (It was something incredibly benign like n17.org)

Couldn't find a history on that domain name for why it would have been filtered.

At least messenger responded with 'couldn't send message' but still no clue as to why... and it took me sending each domain name individually until I found the one that was failing the entire message.

[Symbiote]

If it was N26, that's a European bank so I could see similar domains being used in phishing scms.

[aaaaaaaaaaab]

>and it took me sending each domain name individually until I found the one that was failing the entire message.

A true hacker would have used binary search ;)

[afurculita]

Or a distributed ElasticSearch

[idiotsecant]

Is it reprehensible only when it impacts you or is it still reprehensible when it's blocking hundreds of spam messages a day you might otherwise be receiving?

[epse]

Surely there are better ways to reduce spam than blocking entire TLDs? I also think it's the silent, unfixable nature that annoys most people. Email spam goes into your spam box, where you can still access it. You can mark email as not being spam. No such luck here

[pletsch]

Email providers absolutely block email, its the edge cases that make your spam folder.

[thaumasiotes]

> its the edge cases that make your spam folder.

Well, from their perspective. Not from any reasonable perspective; I have a few obviously-spam emails in my gmail spam folder right now, but I've had plenty of problems with gmail refusing to deliver completely legitimate email to me.

[pasc1878]

If there was no filtering how many spammessages would you receive?

I suspect any more than you see

[blendergeek]

I should receive 100% of messages from numbers I message. If my carrier wants to helpfully filter my other messages, I should be able to opt out.

[kop316]

...whoa, yeah same here. tried "test spot.xyz" then "test spot.com" T-mobile <-> T-Mobile. "test spot.xyz" did not send. Even weirder, I got a confirmmation that it was delivered.

It looks like T-Mobile looks for ".xyz" within the SMS and will silent drop the SMS (though it will claim it is delivered). ".xxyz" works, "..xyz" or ".xyzz" does not. "xyz" works, so does ".xy".

[DaiPlusPlus]

> though it will claim it is delivered

I thought SMS didn’t have delivery receipts?

[kop316]

They certainly do. In Chatty: https://source.puri.sm/Librem5/chatty/-/merge_requests/786 . Some carriers even charge for the service (!!): https://source.puri.sm/Librem5/chatty/-/issues/434

MMS has delivery reports too (I implimented support for it myself for mainline Linux Phones). It even has read reports, but no carrier seems to honor using it (which is why I didn't bother to impliment it).

I'm not sure if Android/iOS gives the user an option for it (which may be the source of confusion).

[frosted-flakes]

There is an option to enable delivery receipts on Android (Google and Samsung). I believe it is disabled by default.

[kop316]

Read reciepts or delivery reports?

I'm not sure if SMS supports read reciepts, but I didn't think so. The MMS standard allows for read receipts ("MAY" not "SHALL"), I was unable to get it working, and I suspect it's due to no carrier support.

I was unable to get read receipts working at all, and I suspect it's because the carrier doesn't impliment it.

[frosted-flakes]

Delivery receipts, I've edited my comment. I've never been able to get read receipts to work. If I enable it, sometimes I will receive an actual text message that "123-456-7890 has read your message", instead of just marking the message as read.

[davchana]

Many years ago when incoming messages used to cost, each delivery report I recieved after sending a message out costed me exactly one incoming message, in India in 2000s. Many phones still offer Request Delivery Reports.

[pope_meat]

Use signal. If you're encrypting your message, they can't filter your message out.

[kop316]

Respectfully, I do use signal, my family, my boss, most of my friends, etc. do not, they use SMS.

Also, Telegram seems to be much better supported on the Pinephone as of now, so that is what I generally prefer.

[foofoo4u]

A lot of systems block anything by default that isn't standard. For example, if you happen to own a domain to serve as your email that doesn't end in .com, .edu, .gov, then many systems will instantly invalidate you saying you don't have a valid email when in reality you do. A lot of companies or programmers don't seem to realize that its 2021 where we have hundreds of domain extensions to choose from.

[SilverRed]

I think this mostly applies to TLDs with more than 3 letters. I have email on a .me and a .red and I have never had anything reject me.

[devoutsalsa]

I had a .ninja domain for a while, and I had to contact a certain DNS provide to add support for that TLD. They were very responsive, but I still had to ask.

[kayodelycaon]

No issues with my .co domain.

[pacman2]

Pff. That is nothing. Try to run your own mailserver and deliver a mail to a t-online.de address (T Mobile Germany).

They basically only accept pre-approved providers. If your have your own domain and infrastructure you have to petition them to whitelist you. Totally insane.

If you can read German, this guy who runs a shop decided to block himself all of t-online emails since they basically run email out of specification. https://blog.rolandmoriz.de/2020/09/21/t-online-blockiert-ma...

[petercooper]

Related thing from the past.. Gmail once had a bug(?) where if you sent any email containing a URL with the domain starting "0x", it would go straight to spam. I imagine it was a rule hard coded to block the use of hexadecimal long IP URLs, but it also picked regular domains starting 0x. It was fixed a few years ago.

[ArchOversight]

I own a domain starting with 0x and I spent a lot of time talking to people I knew at Google to get that one fixed because my mail would not be delivered.

[petercooper]

I'm glad to hear another first hand report of this as info was very thin on the ground at the time!

[mcny]

One of the places I worked as a contractor recently, I could not get to abc.xyz on the work network. I tried some more xyz websites and none worked.

[Scoundreller]

If you’re in Canada, and send an SMS containing the string “special message” to or from a Telus customer (or one of their sub-brands), it will be silently dropped. Telus is one of the big3 telecoms here.

[drampelt]

I just tried on Koodo which is part of Telus, no issues sending/receiving

[Scoundreller]

Make sure it wasn’t iMessage

[drampelt]

Definitely wasn't iMessage, I tried it on my Android phone

[tiffanyh]

I wish the Telco's did MORE filtering given the huge amount of SMS spam I get since Twilio has turned this channel into a positive ROI for spammers.

(1st biggest spam channel being email, which surprise/surprise - Twilio also dominates via SendGrid)

[aquark]

I have no knowledge of the ROI involved here, but would love to understand this: Twilio is 0.75c to send a text.

Is it possible for a spammer to generate >$75 per 10,000 people spammed? I've no idea were the SMS spams I've got link to (not about to find out) but they are so obviously spam.

We use SMS for communicating with users and would be happy to more a lot more per text to escape the 'positive ROI for spammers' territory.

I'd be happy to do that for important emails too!

[mmerlin]

Probably decent ROI which is why it keeps on happening!

They just need one person in each 10k spammed on average, to click the phishing url asking them to pay a fake bill and then charge them $328 instead of the $3.28 displayed o the page.

I received (and reported to their scam Dept) a phishing SMS yesterday pretending to be from Australia Post asking for $3.28 to release a delivery package I'm waiting for, which is most people in Australia nowadays with the current slowdown in mail delivery speed.

I am only guessing that the $3.28 phishing purchase would have attempted a $328 charge on my card... but that would be wildly profitable if the input costs per successful fraud were under $100...

[callalex]

How did you determine that these messages are through Twilio and not one of the dozens of cheap unscrupulous knockoffs? This is very easily identified, and you are are slinging serious accusations.

[exikyut]

> Ironically, Google Voice also has the same behavior with abc.xyz.

This is my new mini-favorite thing. It feels a bit like a redux of "Shirt without stripes" (https://news.ycombinator.com/item?id=22925087)...

[Thaxll]

You wonder why there is any filtering on sms ...

[Spivak]

Because spam really is that rampant. There aren't that many communication systems with a small search domain of user ids where anyone can send and receive messages from anyone by default.

[Thaxll]

Makes sense, but then they just blacklist entire TLD, it's a bit weird.

[maxwell]

Why not impose costs instead of filtering?

[SilverRed]

The latest spam method right now is to get malware on to android phones and have the actual phones do the spamming. So if there is a cost, it gets applied to random people and not the spammers.

Also if there was a cost per SMS on phones these days it would be the death of SMS because no other system charges.

[indymike]

They do.

[tambeb]

I just tested example.xyz and spot.xyz between my Google Fi and Voice numbers and both were fine.

[sytelus]

I am pretty sure this is not intentional. Somewhere some classifier in Google has overfitted onto .xyz. They will probably fix that some day so this will not be true forever either.