While it seems to be true that it’s not open-source, they claim (in strong terms) that they use techniques other than reading the message to make that assessment:

https://signal.org/blog/keeping-spam-off-signal/

They point out that the protocol’s end-to-end cryptographic guarantees are still open and in place, and verifiable as ever. As far as I can tell, they claim that they combine voluntary user spam reports and metadata signals of some sort:

> When a user clicks “Report Spam and Block”, their device sends only the phone number that initiated the conversation and a one-time anonymous message ID to the server. When accounts are repeatedly reported as spam or network traffic appears to be automated, we can issue “proof of humanity” checks to suspicious senders so they can’t send more messages until they’ve completed a challenge. For example, if you exceed a configured server-side threshold for making requests to Signal, you may need to complete a CAPTCHA within the Signal application before making more requests. This approach slows down spammers while allowing regular messages to continue to flow.

Does that seem unreasonable? Am I missing places where people have identified flaws in the protocol?