Spam is getting horrible lately. I get all sorts of new techniques including:

- using legitimate sites to bypass filters, like sending you a bill through a legitimate bill-creation site

- pretending to be a tracking service for something you supposedly ordered, then over the course of days pretending the package got lost on the way and offering a discount code for the 'purchased' amount, expecting you to use it on their phising site.

Gmail not only fails at spam classification, they classify these messages as important and nag you with first priority notifications and summaries.

Google is fine with everything if it's their service. I've completely blocked *.bc.googleusercontent.com, because it's basically used as a spam farm for years now, but Google couldn't care less as they apparently can't be bothered to even slightly inconvenience their compute engine users.

Ah! I have no answer for it, but am happy, Virgil-like, to now have a theory why the same stupid, obvious "Costco" spam from an @gmail.com address keeps showing up in my inbox no matter how many I mark as spam.

I can’t prove it, but it feels like the world recently decided that spamming/scamming is acceptable, so the number of spammers/scammers has increased dramatically.

The number of spam calls, texts, emails, iCloud account unlock requests, etc I’ve received in the last year is insane.

The same reason spam filtering is hard. It's not possible to catch every misuse of the service without too many false positives.

It follows the same logic as physical junk mail. We accept the fact that we will receive junk mailers in our physical mailbox and just toss them out.

Gmail spam filtering is so bad that I believe it has to be intentional. I think they see email as a long term ad revenue opportunity and want to desensitize people to the spam.

Spam is now AI powered. Let that sink in for a bit.

> Gmail has been evil

It is good to realize that it has never been "Nice Uncle Google" and always an advertisement moloch offering tools to hook their product. All that trust that was bestowed was never warranted.

Your identity is invalid. Report to the nearest Protein Distribution Hub for reallocation.

Lack of accountability for the companies that allow their services & platforms to be used for spam/scamming.

Take DocuSign for instance. Still, this many years later, is a major source of phishing emails from their free trials. DocuSign could easily shut this down today by either requiring a CC for the trial, or forcing a call with a sales rep to start a trial. But they don't, they continue to allow their service to be used for wide scale phishing.

Atera, an RMM, is another one that has been a big source of malware delivery, also via the free trials.

Shutting down the trial accounts after the fact does nothing, the emails already went out.

And what do you expect instead? To get a Russian gosuslugi ID, you also need to bind your phone and ID number.

And of course their database is leaked in real time.

Yeah, but junk mail funds the USPS, without it Republicans would've killed the postal service long ago, See the Pension requirement that they pushed in a vain attempt.

Ok, it's even harder when you do not care because they people are either freeloaders or locked into your solution because it's a customized mess.

There is a big difference between advertising your services and trying to literally steal people's money.

We shouldn't accept that either. The USPS could stop accepting junk mail, if it were funded properly and didn't have to rely on junk mail for revenue.

If I put on my tinfoil hat, it seems to be something deliberate, to push us all towards accepting hardware / software attestation and better "online id" stuff - "Don't you want to identify and stop the spammers and phishers?".

Email scanning and file scanning (on our computer) became acceptable when the level of spam and malware became intolerable. But it was at cost of our privacy. Today, Gmail scans all your mails and makes money from it. Both Windows and macOS have built-in anti-virus or malware scanners, and file indexers, and thus know all the applications and files in your system (which provides for more data on your profile with them). Now with both OSes, and even browsers like Chrome and Firefox, including AI, they will now use our own computers to not only collect our personal data, but even process it on our system and use it to build even better profiles to more profitably exploit us.

The only “real” competition for Google Workspace is Microsoft if you need a full collaboration solution beyond just email, and 99.999% of customers of such hosted solutions need that full solution. It’s why Dropbox worked even though hacker news users probably roll their own sync solution.

I believe that these spammers now concentrate their efforts towards e-mail addresses hosted by major providers, like Gmail.

The reason is that I have an opposite experience, during the last couple of years I have received much less spam messages than before.

I have hosted my own e-mail server for more than 2 decades. Previously, I had to filter large quantities of spam messages, but lately the number of spam messages is much less than 10% of the total number of received messages.

It's AI that's doing a lot of it. For a lot of spam, scammers would want to exclude anyone who may not fall for the scam due to the costs associated with dealing with people who won't pay you. Now that AI decreases the need for a human scammer to scam, expect them to start to widen their scam nets.

AI + FCC weakening

I think part of it is AI allowing sophistication at scale, but there's also a generational factor. The techbro + business shark culture, influencers who manipulate people being role models, and so on.

Outsourcing? Governments have never been involved in bot protection or online identity verification for anything else than their own websites.

It's like saying that the government has outsourced burger making to McDonalds.

The same 5 urls has been used for 3 months

This is why I have I have started planning to transition away from Gmail for all domains I manage. Gmail doesn't actually get any better as a product - just more annoying as they try to upsell me on crap I don't want or need. It gets a bit more shitty every year.

The sheer size of Gmail means I have zero chance for support even though I pay for a service. The risk is too great to be acceptable.

> and we hit a wall during registration.

What does this mean? The scanning a QR code and sending a text message from this article, or something else?

Be careful. Google once locked me out of an account that I've owned for over 10 years one day. My username and password were correct, but they randomly flipped 2FA on (without my consent) and sent the recovery code to a phone number that I switched away from years ago. It was completely unrecoverable. There's absolutely no way to get in touch with customer service. Never make an account with them unless you're not willing to lose it randomly to automated bureaucracy.

What happens when they ask for you to get another code to that same number, though? Can you access that number again?

I think it's probably enough to get your phone to open your texting app with a pre populated number and message body, then all the user needs to do is hit send.

Do we get cheap EVs and high-speed rail now?

Yeah I set one up a few weeks ago for testing, same process.

When you create an account through google services on a phone, you don't even need a phone number.

When trying to upgrade from the Business Standard to Business Plus plan, Google will reduce your workspace storage from 2TB/user to 0 bytes for up to 24 hours while it upgrades you.

These are actual quotes from support:

> Upon checking, I see that the storage is showing as 0 bytes, because of the upgrade that has been done from business standard to business plus. Not to worry as this is very normal.

> I understand your concern and how important it is for the storage to be updated due to the business requirements. > > To give you full transparency into what is happening: when a Workspace subscription is upgraded, our backend systems must first detach your previous Business Standard storage allocation before provisioning the new Business Plus limits. During this transition window, the quota temporarily defaults to zero.

> Now please turn ON user storage limit nor shared drive storage limit. Once you turn ON, please wait for 5 minutes and then please turn it OFF.

^ That last attempt to try to force storage quotas to reset faster didn't work, btw. Still took hours.

Everyone hates on Microsoft, but their platform is 50x better than Google. Personally nowadays I would be looking at Proton if I was going to setup a workspace for my company.

With which workspace solution did they end up with?

If this is with a new android phone, return it and let the manufacturer know why you couldn't use the phone.

What happens when your phone can't do that? I use a flip phone. It can't scan QR codes despite having a camera

It's becoming increasingly hard to find a service that lets you see verification messages, and even then google doesn't like a lot of the numbers those services use

But isn't phone number verification usually works like... Google sends you a SMS, not the other way around?

It probably opens a prefilled text message and the user still has to hit send. That's the only API I know on iOS anyway.

Regarding how easy simswap is in 2026, it's dangerously stupid from Google to rely on SMS

> and will cost you a few dollars a month

Dead on arrival.

Probably depends on how "trust worthy" you seem to Google for them to trigger this requirement. Things like using Linux, using Firefox, using a VPN, etc.

They should probably go back to the original invite only flow they used when Gmail launched.

Every account having the ability to invite an only small finite number of new accounts is one way to thwart scammers.

It doesn't have to be deliberate; it's just the economic incentives at work. AI providers are inclined to sell AI to everyone with a pulse, and it just so happens that a lot of its use will for towards spam generation.

It also just happens that they're the ones best positioned to provide attestation and identity services.

I’m considering self hosted. I’m so tired of the major providers not even trying. And I have no serious control over blocklists.

Not just the FCC but the entire regulatory apparatus is completely non-functional when it comes to regulating commerce.

The clear, unspoken message in the USA is now: "Enrich yourself in any way you can, as fast as you can. Buyer Beware is the law of the land."

LiveJournal allows verification with Russian State ID "gosuslugi".

Estonia is the exception here, not sure about the other Baltics. Switzerland is trying. The UK is trying to try.

Tuta, Fastmail, and Posteo are all much better alternatives to Gmail in terms of privacy.

My comment, as per subject, is about Gmail.

The decline had been happening long before AI hit mainstream.

It's been a _lot_ of years that I've hesitated to answer calls from unknown numbers.

That doesn't really change the fact that it's hard. Do you know how many full movies are on YouTube that infringe on copyright? How many pirated streams are hosted on S3? How many piracy sites are behind Cloudflare. It's just very hard to police at scale and if something is flying below the radar it will be there for a while. They probably spread out their assets over many accounts, or even use misconfigured buckets with write permissions to drop some files in there.

I do mean for their own websites.

If he had this phone for 15 years, I bet it's not bound to a phone, it's bound to a sim card.

Technically if you can copy paste the qr code into any qr reader website and manually do it, I think it's possible? Assuming it doesn't change the code very rapidly every few seconds.

I wish it was. I've looked everywhere for several years for anyone offering this service so I can get into my 2004 Google account that they enabled SMS 2FA on one day, without any notice, but it has the wrong phone number. I have the username, password and the recovery email address is set to another I own too, but without the SMS code I'm hosed.

In my country there are several telco operators that will send you basically an unlimited number of SIM cards for free (as in free beer) that you can use for getting the verification SMS and then immediately throw the SIM away. The only "cost" is that you have to wait a day or two for the SIMs to get to your physical mailbox.

you see, in that case google has to pay, but flipping it like this makes the customers.. oh wait the product pay.

Can confirm this is what scanning the QR code does. I just went through this to get my Google dev account verified.

Not without some kind of delay function and probably filtering/evaluation of which new accounts get this capability...

Everyone here should be familiar with exponential growth of n-ary trees. If you can get one of these accounts and each new invitee gets to invite 2 more, you can already have accounts gone wild.

It was not finite, or uniform. I refilled the invites every week or so based on user behavior.

Not really, even "legit" marketing providers have massive automation rigs to warm email addresses, make them behave naturally and email each other in rings for a bit before using them for cold outreach.

So they'd just do this to farm invites if they needed

The irony is that no real scammer would use this setup because they know it would stand out.

spammers also use AI

I assume "next leading brand" ;P

Google Workspaces are just like Windows 11 on the network, and constantly running Windows update. You never know what changes, installed/uninstalled, or breaks.

This is hilarious. Microsoft has had many issues and outages with M365 in the last few years. I mean, I guess if you don't rely on mail, then sure.

No idea, but there's Zoho.com ...

Apparently it’s just an SMS URI.

It’s not something specific to a phone. It’s just a convenient method to enter your phone number.

then google has decided that you no longer should be able to use GMail (for now) and the internet (in the future)

I don't know why verizon etc.. don't charge like $0.25 cents per sms. Then these provider would stop sending too many sms.

If you don't feel that's worth it you can use Gmail, yeah.

"A tester in A/B testing situation swears that B tester is not telling the truth"

I just checked and it asked me to scan QR code and after opening QR code it will attempt to send some random token..

Google is probably doing A/B testing or they are using some sort of ML algorithm....

Google's inability to scale their services should be a regulatory issue.

If their platforms (Gmail, YouTube, DoubleClick) are being used to launch scams, they're failing at scale and governments are failing at legislating / regulating.

The only way to use Google services somewhat safely is with hefty ad (and the rest) blocking.

All this ID and surveillance and privacy invasion and metadata retention and yet all these scams only seen to grow. It never seems to end up protecting anyone deserving of protection.

I wonder what it's all been in aid of...

Thanks, now I understand your comment.

His point was just that many business users can only purchase Google’s solution or Microsoft’s solution, because they’re the only services that will offer interoperability with many other security and compliance services and advanced functionality like SSO, third party email scanning, compliance journaling etc. The email market is essentially a duopoly as soon as you need any functionality beyond basic email.

Yeah this feels like one of those cases where the term "AI" gets broadened out so far it becomes meaningless.

This stuff is automated. The ability to automate spam calls (using the same form of APIs developers love, like Twilio) make it absurdly easy for one person to set up a spam machine. No AI required.

I kinda lost the plot here - what does piracy have to do with spam and phishing?

Hopefully that means Nextcloud ;)

I feel like I must be using a different gogole workspace. I've used it every day for the last 10 years and just don't seem to have these issues? Stuff just seems to work for the most part? It's all way more stable and low-admin than any other desktop software I've used at least!

We are 365 shop… I cannot think of one single time the 365 being down has affected us at all. Maybe you’re right I don’t know. Maybe your region is worse than my region.

Cloudflare for email people, its the best and free

To enter their phone number because you sent an SMS to them.

So if there are any costs for sending this SMS it’s on you.

If one takes the comment to mean, 50x better for support, I can believe that. After all, 50x almost nothing can be achieved fairly easily.

It's not just me; most people won't. That's the issue.

I recall reading that twitter was getting "scammed" because there were some phone services that cost money to receive texts (and possibly some of it was being passed on to the customer of said phone service) and they were getting spammed with phone verifications to get the payouts. I guess when twitter extorts your phone number out of you under false security pretenses and then uses it for advertising that's legit but if some one tries to a get a cut for themselves it's a big problem.

It occurs to me this "force you to send the sms" might be a way to avoid exactly this sort of thing.

eh, they gave up on trying to control usenet and haven't touched gopher so I'll just go there

It certainly disproves a headline saying “Gmail now requires scanning a QR code”.

The simple fact that you believe this is insane to me. Microsoft?Security and compliance? Ahhh, yes the north star of security!

No, you don't need either of these companies if you need a corporate stack for communication and collaboration. And anyone who believes Microsoft or Google is doing anything out of the ordinary to protect their users or data is out of the loop.

The lead generation was automated ten years ago ("Hello?"), but the actual scam conversation was not. Until recently, you still had to pay somebody in South Asia better than the prevailing wage of ~$1/hr to have these conversations, as well as set them up in an office with computers and managers, and bribe local police (call it $5/hr of fully burdened work product). If your success rate is ~1% and the average human portion of the scam lasts 12 minutes, you're getting 0.05 successes per hour, and you better be netting an average of $100 per successful scam (accounting for financial clearing issues / reversals!) or you're losing money on every hour worked.

You're correct about the calls, but the ability to talk with the people was the rate limiter. Even if you have many people in Cambodia or India, the scammers still needed to scam more than they paid out. Now you can have AI bots that do the first level of filtering.

Unfortunately scamming is a business and if certain actions become less expensive, I would expect more of them.

both deal with distinguishing legitimate vs illegitimate content.

"It's so easy when you don't know how". I'm not sure if this phrase is in common use at all, or if I just misheard it once and attributed it to mean that when the details of a problem aren't obvious, its easy to conclude the solution is simple. "Why don't they just do ___?"

Maybe MS actually has support. The UI is so much worse than Google's (which is bad enough for communication compared to Slack) that you just cannot win though.

Well, a headline that states that “Gmail now requires scanning a QR code for some people some of the time” is not too exciting.

>No, you don't need either of these companies if you need a corporate stack for communication and collaboration

A lot of corporate (customer) email sevices drop email from everybody except a very short whitelist.

It's not about actual security; it's about the appearance of it. It allows CTOs and such to check a box to say "Why yes, our vendor is secure! Look at all their claims! Look at how many other companies use them!" That's it. Safety in numbers for clueless CTOs.

At the companies I've worked at, I refer to this as the "well, can't you just...?"

Yeah, I can "just" after I "just" do A, and B, and C, and D, and E, and F, and G.

Drives me batty on top of being insulting. "Surely you realize I thought about that weeks ago, and if it were that simple, we wouldn't be having this conversation."

But hey, I get paid every 2 weeks.