More info here: https://news.ycombinator.com/item?id=46665414
- using legitimate sites to bypass filters, like sending you a bill through a legitimate bill-creation site
- pretending to be a tracking service for something you supposedly ordered, then over the course of days pretending the package got lost on the way and offering a discount code for the 'purchased' amount, expecting you to use it on their phising site.
Gmail not only fails at spam classification, they classify these messages as important and nag you with first priority notifications and summaries.
The number of spam calls, texts, emails, iCloud account unlock requests, etc I’ve received in the last year is insane.
Take DocuSign for instance. Still, this many years later, is a major source of phishing emails from their free trials. DocuSign could easily shut this down today by either requiring a CC for the trial, or forcing a call with a sales rep to start a trial. But they don't, they continue to allow their service to be used for wide scale phishing.
Atera, an RMM, is another one that has been a big source of malware delivery, also via the free trials.
Shutting down the trial accounts after the fact does nothing, the emails already went out.
The reason is that I have an opposite experience, during the last couple of years I have received much less spam messages than before.
I have hosted my own e-mail server for more than 2 decades. Previously, I had to filter large quantities of spam messages, but lately the number of spam messages is much less than 10% of the total number of received messages.
The clear, unspoken message in the USA is now: "Enrich yourself in any way you can, as fast as you can. Buyer Beware is the law of the land."
It's been a _lot_ of years that I've hesitated to answer calls from unknown numbers.
This stuff is automated. The ability to automate spam calls (using the same form of APIs developers love, like Twilio) make it absurdly easy for one person to set up a spam machine. No AI required.
Unfortunately scamming is a business and if certain actions become less expensive, I would expect more of them.
Email scanning and file scanning (on our computer) became acceptable when the level of spam and malware became intolerable. But it was at cost of our privacy. Today, Gmail scans all your mails and makes money from it. Both Windows and macOS have built-in anti-virus or malware scanners, and file indexers, and thus know all the applications and files in your system (which provides for more data on your profile with them). Now with both OSes, and even browsers like Chrome and Firefox, including AI, they will now use our own computers to not only collect our personal data, but even process it on our system and use it to build even better profiles to more profitably exploit us.
It also just happens that they're the ones best positioned to provide attestation and identity services.
If their platforms (Gmail, YouTube, DoubleClick) are being used to launch scams, they're failing at scale and governments are failing at legislating / regulating.
The only way to use Google services somewhat safely is with hefty ad (and the rest) blocking.
All this ID and surveillance and privacy invasion and metadata retention and yet all these scams only seen to grow. It never seems to end up protecting anyone deserving of protection.
I wonder what it's all been in aid of...
Yeah, I can "just" after I "just" do A, and B, and C, and D, and E, and F, and G.
Drives me batty on top of being insulting. "Surely you realize I thought about that weeks ago, and if it were that simple, we wouldn't be having this conversation."
But hey, I get paid every 2 weeks.
Does anyone have a better source of information than this one forum comment from someone who thinks scanning a QR code is enough to get your phone to send a text message?
EDIT: It’s just an SMS URI. It doesn’t automatically send anything, just opens a text message for you to send.
This is just the old phone number verification with a QR code convenience method.
It’s not something specific to a phone. It’s just a convenient method to enter your phone number.
So if there are any costs for sending this SMS it’s on you.
It occurs to me this "force you to send the sms" might be a way to avoid exactly this sort of thing.
Told the owners that if Google is already being difficult during signup, imagine being locked out later with client work on the line. Pulled up a few horror stories about Google lockouts to drive the point home. They ended up with another workspace solution.
These are actual quotes from support:
> Upon checking, I see that the storage is showing as 0 bytes, because of the upgrade that has been done from business standard to business plus. Not to worry as this is very normal.
> I understand your concern and how important it is for the storage to be updated due to the business requirements. > > To give you full transparency into what is happening: when a Workspace subscription is upgraded, our backend systems must first detach your previous Business Standard storage allocation before provisioning the new Business Plus limits. During this transition window, the quota temporarily defaults to zero.
> Now please turn ON user storage limit nor shared drive storage limit. Once you turn ON, please wait for 5 minutes and then please turn it OFF.
^ That last attempt to try to force storage quotas to reset faster didn't work, btw. Still took hours.
The sheer size of Gmail means I have zero chance for support even though I pay for a service. The risk is too great to be acceptable.
What does this mean? The scanning a QR code and sending a text message from this article, or something else?
1. Personal/Child/Business
2. First/Last
3. Pick email
4. Date of Birth
5. Backup email / Skip
6. Password
7. Enter phone number
8. Confirm with 2FA code
9. Done.
I just made the email testregistrationflow@gmail.com and have since forgotten the password. So that’s one burned. But feel free to try testregistrationflow1@gmail.com and see if it works without a QR code.
The headline is clearly a misstatement of what is a specific flow for someone to make many Gmail accounts programmatically.
Every account having the ability to invite an only small finite number of new accounts is one way to thwart scammers.
Everyone here should be familiar with exponential growth of n-ary trees. If you can get one of these accounts and each new invitee gets to invite 2 more, you can already have accounts gone wild.
So they'd just do this to farm invites if they needed
Google is probably doing A/B testing or they are using some sort of ML algorithm....
(EDIT: TFA didn’t clear it up for me, but it sounds similar.)
My phone number - which I've had for about 15 years and have only ever used for personal purposes (minimal SMS, mainly just an iMessage/Whatsapp ID) - is apparently "not eligible" to create a new gmail account. Which is quite strange.
Dead on arrival.
The fact that they're introducing QR/SMS/MMS/whatever they want is actually an interesting signal, because it will harm the customer experience, which might result in the growth of responsible paid email services.
It is good to realize that it has never been "Nice Uncle Google" and always an advertisement moloch offering tools to hook their product. All that trust that was bestowed was never warranted.
My comment, as per subject, is about Gmail.
No, you don't need either of these companies if you need a corporate stack for communication and collaboration. And anyone who believes Microsoft or Google is doing anything out of the ordinary to protect their users or data is out of the loop.
A lot of corporate (customer) email sevices drop email from everybody except a very short whitelist.
I also want to share a comment that someone (Velocifyer) added on my comment:
"If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me."
Also another fact that I had discovered but to upload youtube vidoes more than 15 minutes you have to do this verification with sms and I found that its system of sending sms was quite finnicky and (too much limits is actually just one try)
Google and other tech giants's recent changes/lobbying are really impacting the open internet and it feels to me like we as people who have knowledge about these topics must do something to reform things as I simply cannot ask people who are technically unaware about these topics to fight for these changes unless we advocate and educate them about it
Most people just have simply way too much of other issues to fight for these things that they have almost taken for granted, but this to me means that the responsibility is on us people who are technically sound to fight against the attacks on open internet if we wish to preserve it.
I think my point is that we all might be waiting for other people to protest against these tech giants but I think that the world is looking at us people for such protests, Let's hope that we are able to educate more people and the open internet is preserved.
Our small steps might mean a lot in the future and so to not be dis-illusioned to make small steps thinking that they might be too small but we have to fight tech giants if we wish to preserve open internet. Every step is meaningful no matter how small
Years ago IIRC there was a "bug" where the Android emulator allowed you to create real Google accounts. This was found and I'm sure millions of these accounts were created. There's a whole black market for Google accounts. Whereas I lost a Google account I'd created for a relative because it hadn't been used in awhile and it was tied to a mobile number I no longer had.
I don't see how this ends without registering for a service like Gmail being tied to your government ID.
And of course their database is leaked in real time.
It's like saying that the government has outsourced burger making to McDonalds.