A plan for
fighting back.

Four stages,
in order.

Each stage costs more than the last.

Let the cheap ones filter the bulk.

1. Stage 01 At signup

   Filter disposable email

   Do

   Check the MX records of every email. Reject the ones pointing at one-time-mail services.

   Why

   Catches throwaway domains no static blocklist will ever see. Use otm-detector.

   github.com/Short-io/otm-detector ↗

   import { getOneTimeMailInfo } from "otm-detector"

   Catches Throwaway inboxes · temp-mail farms
   ↓
2. Stage 02 At signup

   Verify phone numbers

   Do

   Require SMS verification. Turn off high-fraud countries in Twilio Geo Permissions. Reject VoIP with a line-type lookup.

   Why

   Geo Permissions blocks whole countries. Line Type Intelligence catches the VoIP that slips through in the ones you keep.

   n = twilio.lookups.v2
     .phoneNumbers(phone)
     .fetch({ fields: "line_type_intelligence" })
   
   if n.lineTypeIntelligence.type === "voip": reject

   Catches Cheap VoIP · high-risk jurisdictions
   ↓
3. Stage 03 At signup

   Check shared reputation

   Do

   Hash the email or phone locally. Check it against trustdb.

   Why

   The only defense against fraudsters who look identical to real users — Gmail addresses and rented US numbers that pass every other check.

   h = pbkdf2(identifier, salt)
   if trustdb.hit(h): block

   Catches Gmail fraud · rented US SMS · repeat offenders
   ↓
4. Stage 04 Post-incident

   Feed back what you catch

   Do

   When you confirm fraud, report the hashes back to trustdb.

   Why

   Every hash you send is one your peers catch before signup. The network only works if signal flows both ways.

   trustdb.report(h, {
     severity: "high",
     category: "chargeback",
   })

   Catches Stronger network with every report