Substack needs to overcome its “APIs are bad” philosophy and instead switch to “delight the customer.” I would be delighted if there was an API since then third parties can build incredible tools for writers so when problems like the spammer come along, the community can solve them quickly without Substack needing to go through a very time-consuming design-develop-test cycle.

All we need is the following changes:

1. Give substack admins an secret API key (shown in Settings) to be used for API calls.

2. Add a new boolean field to every subscriber record: ability to make a comment. That field should show up in the search results of subscribers in the normal GUI.

3. In admin settings GUI, allow me to specify “comments are disabled for new subscribers by default” so that all new subscribers can’t comment till I turn them on either in the API or I manually toggle them in settings. So I can go in once a day, review the records sorted by date, and enable comments even if I don’t have an API.

4. Allow me to specify a “callback” function (a URL substack calls) where substack calls me each time there is a new subscriber so I can run my own sanity check algorithm on the new subscriber and enable the comments bit. Substack just makes a post to that URL and doesn’t have to wait for a response since I could be down.

5. Give me an API call so I can turn comments on/off for any subscriber as well as ban the subscriber and remove all their posts. The idea is my software gets called on new subscribers so I can enable them for comments.

6. Give me an API call that returns results like I’d get with the current search of my subscriber base so can for example, get all recently added subscribers from @gmail.com.

Once that is done, there are lots of things that can be done at my end to automatically validate whether the email address supplied by the new subscriber should have comments enabled:

1. Look at the age of the email address using 3rd party services

2. Have a lag time between time of new subscriber and when I enable comments. This can vary based on the domain. If a spammer has to wait a week, it will end the instant gratification.

3. Ask them for their work email to validate their identity (send them a code to enter)

4. Have them go to a site that will tie up their computer overnight to calculate a hashcash value so they will be delayed commenting for an hour

5. etc. etc. The sky is the limit here. An opportunity for third parties to innovate.

By making things open like this, I think we can spur a lot of innovation which could be useful on all websites.

I am grateful to my spammer “friend” for spurring the creation of this idea!