One of the things that works pretty well is invite codes. People want to use a service because their friends use it. Which is to say, because they have someone to get an invite code from. And invite codes don't track very much more than the service is going to learn by who you use the service to communicate with anyway.

But then banning spammers and bots gets a lot easier because it becomes trivial to trace where they got their invite codes and then shut off that account's ability to give them any more, and you have something to investigate if you see large numbers of accounts getting invite codes from the same account.

They can also be used as an alternative to other forms of verification. So to create an account you can either get an invite code, or provide something even more scarce than a phone number, like payment info. Either you have an invite code or you pay $5. Then most people don't have to pay anything because they get a code, people who want in but don't know anyone there yet can pay a nominal fee, and the spammers and bots can't easily do either of these things at scale.

My problem with invite codes is precisely the association to someone (metadata). It is a double-edged sword, because I would think twice before inviting someone (good!), but at the same time I do not want to be responsible for what they do, nor do I want to be associated to it. As for payment information, I would rather not provide that just to use an instant messenger, for example. Thankfully we have metadata-free IMs (e.g. Ricochet Refresh, Session, Briar). That said, I would not dismiss the idea of invite codes so quickly.

The premise of invite codes shouldn't be that you're responsible for anything someone you invite does. You are not your brother's keeper. If you invite a bot, the worst thing that should happen to you is that you're not allowed to issue invite codes anymore. But that's also all you need to solve the problem, because then the set of people who are careless with invite codes and the set of people who can still issue them ceases to overlap.

The nice thing about payments is that it makes an excellent fallback option, because spammers can't use it. It's not even about identifying the user, you can accept cryptocurrency and allow them to stay anonymous because someone who is going to have their account banned after only a few hours regardless can't invest even $5 in it, so it's about the money rather than the identity. And then it's not supposed to be the default option, but it can exist as an option for anyone the other options aren't working for.