Security Experts:

Signal Working on Improving Anti-Spam Capabilities

Privacy-focused communication platforms Signal is sharing information on the improvements it has made to its spam-prevention capabilities.

The task of keeping spam out of user’s inboxes, Signal says, is more difficult compared to other messaging services, because the company does not have access to the contents of messages, and has to fight spam without social graphs.

Unlike Signal’s underlying code, which is open-source, the code for fighting spam is kept secret, to prevent bad actors from finding bypasses.

One of the ways in which Signal fights spam is message requests, which ensures that users have access to more contextual information regarding a message that comes from someone who is not in their address book, before accepting, deleting, or blocking that message.

[ READ: Signal Adds Face Blurring Tool to Protect User Privacy ]

To prevent spammers from luring users with the help of provocative profile photos, Signal is blurring profile photos initiated by senders outside of the recipient’s address book. Conversations and profile information (including photos) are end-to-end encrypted.

In another attempt to fight spam, Signal said it decided to no longer hyperlink URLs that are rendered on the message request screen.

In addition to these minor tweaks, which lower the effectiveness of individual spam messages, Signal also added recourse for recipients for unwanted inbound messages. Users can now report a message as spam when blocking someone from the message request screen.

[ READ: Signal Provides Only Two Timestamps as Response to Grand Jury Subpoena ]

Because Signal is designed in such a manner that clients do not trust the server even when it delivers end-to-end encrypted content, server-side inspection of message content is not possible, and the platform relies on message behavior to identify spam and enforce limits.

“When a user clicks “Report Spam and Block”, their device sends only the phone number that initiated the conversation and a one-time anonymous message ID to the server,” Signal said.

For accounts repeatedly reported for spam and network traffic that seems automated, the platform can issue checks to senders, thus preventing them from sending more messages until they have completed a challenge.

Signal is also building “spam-battling logic in a separate server component” and plans to make the interfaces to the code public, while keeping the implementation private.

Related: Signal Provides Only Two Timestamps as Response to Grand Jury Subpoena

Related: Signal Adds Face Blurring Tool to Protect User Privacy

view counter