the future workplaces of gmail spammers
There was a time when life online was simple. You could have several email accounts with different names disconnected from one another and use one for your finances, one for work, one for personal email, one for letting all those “internet people” contact you, one for signing up to websites, and one just there so that you write obnoxious emails to people without them knowing who you are.
My god, I have too many email addresses.
Then, back in June of 2009, we reported that our favourite mail provider–gmail–asked us to input a mobile phone for sign up. A month later the web was a flood with messages and complaints. Many people who do not have cellphones were finding that their text-based medium of choice was now requiring them to have access to another text-based medium.
This week I want to take another look at what happened, why it happened, and what you can do about it.
First off, what Google has to say
I don't have a mobile phone. Can I sign up?
If you're trying to sign up for a Google Account, you may be asked to provide a mobile number to verify your identity. We'll send you a verification code via SMS, so make sure the phone you use has text-messaging capabilities. If you don't have a mobile phone and are prompted to enter your phone number, you may want to ask a friend if you can use his or her number to receive a code.
Why am I being asked to provide a mobile number?
We ask some users to verify their identity via SMS before they're able to create accounts in an effort to protect our users and combat abuse of our systems. We take spam and abuse very seriously, so there are numerous measures we take to block spammers and their messages. Sending verification codes to mobile phones is just one way to address this.
Will it cost me money to receive the message?
We suggest contacting your mobile phone provider for details on costs associated with text messaging. These costs vary, depending on your wireless plan and provider.
How long will it take to get the message?
Usually, you'll receive a text messages very quickly after it's sent, but sometimes the delivery can be delayed. If you've waited more than 24 hours and don't have the verification message, you can request that the code be resent.
Will Google keep or use my mobile phone number?
Google will use your phone number to send a verification code in a text message to your phone. We do store each phone number to make sure it is not being used to create a large number of accounts, but we will not sell your personal information for marketing purposes without your permission, nor will we contact you using this number without your expressed permission.
Google wants to increase their control over the creation of email addresses in order to limit the amount of spam coming from their servers. There are good reasons for this:
- Emails that are marked as spam, and come from Google's servers, are going to hurt deliverability of legitimate gmail messages. This means that your email (assuming you have a gmail address) is more likely to get blocked.
- Lots of spam means heavy server use. This means slower loading times across Google services. Granted, given the bandwidth of Google's server farms this would require truly massive amounts of spam.
- Lots of spam means more spam being received, which means more spam in your inbox.
Requiring mobile phones is a smart way for Google to lessen spam.
- It ties an email account to a physical object
- It assures that you're located in the region that you claim to be from
- It limits mass creation of email addresses in a way that CAPTCHA's simply can't.
Things we know:
- Google lets you create approximately 6 accounts per mobile phone
- According to reports in the gmail forum, changing the mobile number in your Google account does not “free up” the phone you registered with. So you could not register six accounts, change the numbers associated with each, then create six more.
- IP addresses don't appear to make a difference.
- Cookies probably only do if Google is testing SMS verification in your area. This likely has to do with how website optimizer gathers data, not with how the SMS verification system works.
- The occurrence of this message depends on where you're connecting from. Certain countries that are more prone to spammers will require it more than areas that are less prone. What countries are they watching and what are they not? Well, Google isnt going to tell you that now are they?
That said, I've started a list of areas that appear to work and areas that dont. Readers, if your area doesn't require a mobile phone please leave where you are located in the comments and I'll add it here:
- Vancouver, Canada sometimes doesn't need them (or at least I don't need to)
- India reportedly doesn't need them
We haven't found any sure fire solutions to this yet, and any solution we do find will likely be patched before the day is out, but people have reported various levels of success with the following methods:
- Clear your cookies and try again
the first time we got the SMS requirement this is what we did. It worked. I haven't seen it again when registering from Vancouver. That said, this likely worked because they were testing SMS implementation. Once it is fully implemented (or in areas where it is fully implemented) this will not work.
- Fail the CAPTCHA
One of my co-workers claims to get it every once in a while he will get them, but if you mess up the captcha the first time through, then he won't get them. I've tried to reproduce this, but haven't been able to.
- When in doubt, proxy
Set up a proxy to one of the number free regions listed above (warning: it isn't hard to detect proxies, and I know that using Tor to connect through Toronto caused gmail to request a phone number).
Also, word of warning: proxies are a bad idea unless you know what you're doing. Running all of your login data through a proxy leaves you dangerously open to would be malefactors.