Messaging doesn't work because of ultra hard spam check

[Chromatros]

• [x ] I have searched open and closed issues for duplicates
• [ x] I am submitting a bug report for existing functionality that does not work as intended
• [ x] I have read https://github.com/signalapp/Signal-Android/wiki/Submitting-useful-bug-reports
• [x ] This isn't a feature request or a discussion topic

---

Bug description

Ultra agressive spam checking that blocks the user out of the app

Steps to reproduce

• install signal
• use VPN
• use online number
• try writing your contacts
• pass the human verification
• pass it for nearly every new message
• get a screen presented that says messaging is stopped

• see the never ending wheel

  https://debuglogs.org/android/5.40.4/e02e784b3ff43de9771614f7422149413e7dfe0aa6ae0e21ecac4462aa27f234

[greyson-signal]

Yeah, so there's a few things going on here.

1. You're using a VPN, which is putting you in the same IP ranges of spammers
2. You're messaging a lot of people for the first time, which looks spammy
3. You don't have Play Services, and therefore can't receive push notifications, which is our 'silent' way of authenticating clients.

Which means you're going to get hit with some captchas. I'll bring it up with the server team to see if there's any tweaks to be made.

[Chromatros]

I get it and it makes sense. But the app is in an unusable state. There is no more captchas or anything. The app just completely stopped working. I though it is a timer or something but it is unusable since the report and no other new contacts can be messaged.

This needs way better balance. I mean c'mon this was 10 people messaged with the new number. In round about 10 min. I think this is not just unbalanced it is a serious bug and should be approached by different identifiers for spam. Like when you send messages to 50+ people in same min.

Or send us every new contact to an aggressive capture. But don't make the app stop working.

[Chromatros]

Or at least set a timer

[Chromatros]

Let the user do the captcha for every new contact but don't rate limit it unless it goes beyond 100 per min.

We have a lot of users with custom security os that don't include play services, that are depending on signal and the possibility to use it with vpn. Your approach is actually blocking users with high risk threat levels from the network.

[kmille]

We are facing the same issue. We are sending messages to multiple people (the first time, no VPN used). We built a bed exchange platform that notifies the people via Signal about their shelter.

You're messaging a lot of people for the first time, which looks spammy

Does Signal take into account if the newly messaged people respond to our messages? Any other ideas what we can do? I don't want to switch to an SMS API provider.

[greyson-signal]

If someone responds to you, you generally should be able to message back and forth freely. The problems start if you're frequently starting conversations with many people, before any of them respond. I've forwarded feedback to the server team, but the TL;DR here is that spam is a very challenging problem, and you'd be surprised the lengths some spammers go through and the damage they can cause. But it's a constant area of iteration for us, so things will be changing over time.

I don't have much to add here from the android side besides that, apologies.

[mollyuser]

We understand you have to fight spam, but it doesnt make sense that the app is unusable, there is not even a captcha coming up to verify. It seems like signal is very unfriendly towards non google play users and vpn users. Also the standalone apk from signal tgat doesnt use google play for updates is lacking updates. Very unfriendly to people who want privacy.

[Chromatros]

Yes it's even shocking. Bringing an app to stop working is the worst and easiest solution. This should definitely be reconsidered.

[mollyuser]

I tried the same thing when VPN is off, still same thing. Tested it without vpn again and this time with google play, and sure than it does work. So this is an google play issie, signal is forcing users to use google play services, like they also do with the standalone apk that lacks updates. So now i have 2 options, one is to spread my butcheeks and install google gay services, and the other one is to have a broken app. Did China or Russie take signal over that we are not aware off? Because the only option you gave me is to deal with a broken unusable app or install google play and let them collect all.my data.

[Chromatros]

I tried the same thing when VPN is off, still same thing. Tested it without vpn again and this time with google play, and sure than it does work. So this is an google play issie, signal is forcing users to use google play services, like they also do with the standalone apk that lacks updates. So now i have 2 options, one is to spread my butcheeks and install google gay services, and the other one is to have a broken app. Did China or Russie take signal over that we are not aware off? Because the only option you gave me is to deal with a broken unusable app or install google play and let them collect all.my data.

Definitely. This is fucked up greyson. You can do better.

[greyson-signal]

FWIW the root issue was probably the VPN moreso than Play Services. Using the VPN likely put you in an IP range that was popular for spammers, which put you in a different bucket to begin with. But not having Play Services removes the silent validation option of being able to respond to an FCM push, hence your current state.

I'm working with the server team to see if there's a way we can continue to send captchas for longer. I'm not aware of the context as to why we eventually stop sending them as a validation option.

Also the standalone apk from signal tgat doesnt use google play for updates is lacking updates. We update that APK whenever a release goes to prod. It doesn't get beta releases. But it's up to date.

[Sangresignal]

I have the same problem, and i sure enough don’t use any VPN. Greyson wrote above that if the contact replies the problem is resolved, which is not the fact. First how can a contact reply if the initial message is not delivered at all, and secondly i tested it with 2 phones and signal accounts and i replied(to a message that never actually came) and the initial signal sender got the “reply” but again was not able to send. It stayed on message pending. In my case the captcha did not even came out to be verified it went straight to non usable app and all messages pending. Is there any way i can reset the captcha or force it to come out again so i can do it and fix this? Did any of u guys reporting the problem here actually found a fix?

[Chromatros]

Did any of u guys reporting the problem here actually found a fix?

Don't message more than 5 people in an hour works lol.

[Chromatros]

It is definitely wrong how this is handled. Why do you make the app stop working. We had this problem today with a user that just messaged 2 contacts. One messaged back and it is still not possible to write with him. Clearly looking forward to when molly has his own servers.

[MzHub]

Ironically the spam situation is made worse by the insistence on using phone numbers as identifiers, since they can be enumerated fairly easily. Wish the world would move on from phone numbers sooner rather than later, and Signal is part of the infrastructure holding back on it.

I understand the reasoning for defaulting to phone numbers, but I would love to see ways for people who know what they're doing, and still want to use Signal, to bypass phone numbers and spam restrictions completely when messaging with each other.

EDIT: What I mean is, I know Signal is very fond of the current UX, but personally I would be willing to make the trade off of having worse UX for tighter privacy, and I know many of my contacts would as well. It should be an opt-in thing people can choose.