[eggbrain]

To the end platform, what's the difference? Mitigation techniques largely remain the same, in that you make it more time / energy / money than what the end result of their abuse is worth. The platform cares about stopping the abuse -- not neccesarily correctly identifying whether the people abusing their platform are small shop "bot farms" vs organized crime.

[reconnecting]

To the platform, the difference shows up exactly in the mitigation math. The 'make it cost more than it's worth' model only works when both sides of that ratio are knowable and bounded. With bonus abuse, the reward is fixed and the math is clear, so you can reliably price the abuser out.

With organized criminals, you can't actually see what the abuse is 'worth' to them. And they can escalate almost infinitely: mimicking real user behavior, routing through residential IP proxies, using email addresses with established reputation, and at the top of the pyramid we've seen full mimics with real social network profiles and activity, they even answer phone calls.

That's why it's worth collecting events before acting: what the account is about, which IP network they use, whether they fake devices, whether there's any warmup prior to registration. Because that's what helps estimate whether your mitigation will actually work, and lets you respond in a balanced manner instead of under- or over-reacting.

[eggbrain]

> [...] With organized criminals, you can't actually see what the abuse is 'worth' to them.

Even without collecting events, you can calculate what the abuse is worth to you, even if the math ends up being fuzzier.

At the small platform operator level (one guy running a platform, as this article), the cost can be as simple as "this pisses me off and I have weekends." They can burn forty hours bolting on JA4 fingerprinting and a disposable-email blocklist to stop an abuser whose dollar-EV to them was roughly zero. Looks irrational, and that's exactly the deterrent — abuse pricing assumes a rational counterpart, and a guy who'll overspend his own life-hours out of stubbornness is unpriceable.

At any scale larger than a small operator, you also do get real numbers -- you can't perfectly price reputation, but you can price traffic and ad conversions, operational costs, LTV of customers (and conversion funnel metrics) etc, all of which don't stay still while abuse increases.

> [...] That's why it's worth collecting events before acting: what the account is about, which IP network they use, whether they fake devices, whether there's any warmup prior to registration. Because that's what helps estimate whether your mitigation will actually work, and lets you respond in a balanced manner instead of under- or over-reacting.

Isn't this just a way to estimate exactly how much the 'abuse' is worth to the abusers?