Agile SMS Fraud-Control Plan
Defense plan after a July 25 spike in invalid CN SMS requests: one-time ticket signing, rate limits with CAPTCHA, dynamic quotas from login success rate, blacklist by phone/device/IP, device fingerprint rules per platform, and product changes to de-emphasize SMS login.
8/1/2025 · 2 min read
SMS fraud-control defense plan
Background
Starting July 25, 15 CN regions saw high-frequency invalid SMS requests, sharply increasing SMS cost.
Monthly SMS volume
Daily SMS volume in July
July SMS login success rate (by country)
Attackers reused most phone numbers
New login methods in July
Third-party login success rate in July
Email login success rate
Requirements
1. One-time ticket signing
Goal: prevent SMS API abuse Sequence
sequenceDiagram
Client ->> Signing service: ① Request ticket
Signing service -->> Client: ② Return ticket {timestamp, nonce, server signature}
Client ->> SMS service: ③ POST /sms/send (ticket + fingerprint + phone)
SMS service ->> SMS service: ④ Validate ticket
2. SMS rate limits & CAPTCHA
Goal: cap SMS volume when the API is abused
| Time window | Limit | At ≥80% of quota | At ≥100% |
|---|---|---|---|
| Country / day | Quota × dynamic factor | CAPTCHA | Reject |
| Country / hour | Quota × dynamic factor | CAPTCHA | Reject |
| Device / day | 3 messages | CAPTCHA (from 2nd request) | Reject |
| IP / 10 min | 5 messages | CAPTCHA (from 2nd request) | Reject |
Initial quota Dynamic factor rules
Compute login success rate
In the last hour: total SMS codes sent (S) and successful logins with code (L).
Success rate R = L / S.
Adjust SMS cap
- If R ≥ 55%, cap × 1.2 (max 1.5× current hourly/daily cap).
- If 20% ≤ R < 50%, unchanged.
- If R < 20%, cap × 0.7.
3. Blacklist policy
| Monitor (same phone / device / IP) | Window | Threshold | Action |
|---|---|---|---|
| SMS requests ≥5 and logins ≤1 | 1 day | Met | Blacklist |
| CAPTCHA failures ≥3 | 30 min | Met | Blacklist |
- First strike: no SMS for 24h
- Second: 72h
- Third: permanent SMS block
Required device fingerprint fields
| Platform | Required fields | Strong match (all equal) | Weak match (partial) |
|---|---|---|---|
| iOS | Model, OS, resolution, locale/timezone, IDFV, app version | Punish directly | CAPTCHA; fail → punish |
| Android | Brand/model, OS, Android ID, resolution, locale/timezone, app version, OAID | Punish directly | CAPTCHA; fail → punish |
| H5 / Web | UA, Canvas/WebGL/Audio hash, locale/timezone, localStorage | Punish directly | CAPTCHA; fail → punish |
| PC | UA, Canvas/WebGL hash, locale/timezone, resolution, localStorage | Ban directly | CAPTCHA |
4. Product: de-emphasize SMS login
- Guide third-party login; weaken phone login
- After phone signup, prompt password setup; default to password login on return