What if the user "initiates the thread" by taking an explicit action on a website? The carrier has no way of knowing that, so what should they do? Just block everything? Not workable.
Yeah, gotta consider multi-modal interactions... and also there's no good way to pre-validate ownership of a phone number.
So suppose Carol clicks "Contact Me Immediately Please" on a website and and enters her phone number... But--oops--there's a typo. Now Alice is going to get an "unsolicited" message even though literally everybody involved is operating in good faith.
Even if someone is maliciously pretending to be Alice, neither the website nor the phone-carrier has a better malice-detecting tool than simply sending it and seeing if the recipient replies "STOP".
> Even if someone is maliciously pretending to be Alice, neither the website nor the phone-carrier has a better malice-detecting tool than simply sending it and seeing if the recipient replies "STOP".
I sometimes wonder how many people use the STOP function. I'm more inclined to ignore it (if it's a one-off) or use the spam reporting feature than I am to reply "STOP" if I don't recognize the sender/campaign because of how jaded I've gotten from email. If you hit the "unsubscribe" link on a spam email, you only get more spam because you just confirmed the inbox is a) active, b) monitored, and c) is checked by someone willing to open and interact with spam messages.
By the time SMS spam became common, I just assumed things would play out the same, and have probably reported plenty of legitimate mistypes to Verizon as spam. It just doesn't feel like it's worth the risk to directly respond.
Considering how many times phones get hacked just by viewing a text message it's probably best to delete any texts from an unknown number unread. If you've got an iphone you're probably screwed the moment it hits your device, but at least you can try to avoid interacting with what might be a "specially crafted text message" as much as possible.
"phones get hacked just by viewing a text message.... iphone you're probably screwed the moment it hits your device"
IIRC, there was a ~recent (2023) iOS CVE that matched this description, and it got a TON of attention because it was such an anomaly. I'm not shilling for Apple, but want to understand your comment better.
Let's do that then. Seems like
it would be the best of all worlds. Click on "Sign up for text alerts" go through the OAuth flow and the user grants you the ability to text them (and importantly revoke that privilege) they never learn your number and you can send messages directly via API and avoid the Twilio overhead. The carrier(s) set up strict rules for what kinds of messages you can send and how often and violating them means your app id getting pulled.
God I wish we would just do this for email as well. Spam would just stop being an issue for 99% of cases.
So suppose Carol clicks "Contact Me Immediately Please" on a website and and enters her phone number... But--oops--there's a typo. Now Alice is going to get an "unsolicited" message even though literally everybody involved is operating in good faith.
Even if someone is maliciously pretending to be Alice, neither the website nor the phone-carrier has a better malice-detecting tool than simply sending it and seeing if the recipient replies "STOP".