Rate limits on low trust accounts

Last Updated 6/9/25

Definition: Rate Limits on Interactions from New or Unverified Accounts.

Abuse Types:

Online harassment Online impersonation Inappropriate content Intimate image abuse (IIA) Doxxing Sexual extortion

Impact Types:

Self-censorship Abuse normalization Psychological & emotional harm

Targets:

Public figure Society

Responsible Organizations:

Digital platform Payment processor / financial service

The information on this page is adapted with permission from Prevention by Design by lead authors Lena Slachmuijlder and Sofia Bonilla.

Implement rate limits on key engagement features (such as friend requests and messaging) for new or low-trust accounts to reduce the risk of spam and abuse. Rate limits prevent misuse by restricting the rapid spread of unsolicited interactions, adding a layer of security for all users. These limits are especially critical in deterring abusive behavior from bad actors or bots, creating a controlled user environment.

Examples

Reddit’s Post Restriction Tools: Communities on Reddit can limit posting frequency for new users to reduce abuse and spam. Similarly, under Reddit’s Karma System, certain subreddits can choose to automatically remove new posts from users who haven’t met specific engagement criteria, even if the content isn’t spam.
Twitter’s Rate Control Systems: Prevents misuse of features like direct messaging and follows.
Instagram’s Comment and DM Limits: This feature enables users to restrict comments and DM requests during periods of heightened attention. It helps protect individuals from potential abuse by automatically hiding comments and messages from users who don’t follow them or have only recently started following them.

References

Cloudflare. (2024). What is rate limiting? | Rate limiting and bots. Cloudflare.com. https://www.cloudflare.com/learning/bots/what-is-rate-limiting/
Radware. (n.d.). What is rate limiting and how does it work? Radware. https://www.radware.com/cyberpedia/bot-management/rate-limiting/
Slachmuijlder, L., & Bonilla, S. (2025). Prevention by design: A roadmap for tackling TFGBV at the source. https://techandsocialcohesion.org/wp-content/uploads/2025/03/Prevention-by-Design-A-Roadmap-for-Tackling-TFGBV-at-the-Source.pdf

Limitations

There are ways to circumvent rate limits

If rate limiting is only applied by IP address, brute force attackers could bypass this by attempting logins from multiple IP addresses (perhaps by using a botnet). (Cloudflare, 2024)
Geography-based rate limiting can be circumvented by attackers who use proxy servers or VPNs to hide their location. (Radware)

Is something missing, or could it be better?