@aris@pleroma.envs.net Strangers cannot really exploit your invite code for spam, and that makes it safe to hand them out; as a stranger will only have one invite code or maybe a few, and so all of their spam accounts will be under *those* subtree(s), not yours.

Spam (and other forms of sockpuppetry) are fundamentally volume-based attacks; they rely on the cost of "trying" to be effectively zero, so that even if most attempts fail, it'll still be worth it. But if you have to interact with a human - *any* human - to make an attempt, that's no longer true.

So no other measures would be necessary on the other unspecified platform, because no spammer is going to expect success by sending one person thousands of requests for invite codes, or even *finding* thousands of people to send one request to. The economics just don't really work.

Basically, the idea is that the "other anti-spam mechanisms" literally are just "you need to talk to a human, *any* human", and that is already enough. The spam account problem is hyperspecific to "systems that require no non-cheaply-automatable effort at all", so basically just "open registration", and pretty much any kind of hurdle prevents it.

Regarding the social graph: sort of, but not exactly. It's a very partial social graph, it will never get updated over time, and it will be less complete than literally just looking at who someone is interacting with on the site. There would have to be a very specific situation for this to reveal any more information than the operator already has.