IIRC you have to do text message validation. If not I believe the amount of messages you can send are under 50. However these things change over time, and I believe at one point (maybe now) you couldn't make a gmail account without text verification.
Feel free to correct me if my memory is wrong because it very well could be.
At one point I was thinking about setting up a tv channel for VLC... you can write a lua script to let VLC extract video urls from a webpage. So I'd use Tor/bitcoin to get hosting somewhere, put up a simple page for that purpose, and use Youtube to host the videos. You need Google accounts though, lots of them (Google would suspend them quickly, after all).
The solution I considered was paying people in Africa to sign up for gmail for me, and I'd pay them per account. I figured I'd only need 50-100 per month, so the low volume might make it possible. They often have smartphones, and amounts that are too low for you to bother with might be a decent payday for them for 5 minutes work.
Now, I know what you're going to say... Youtube detects copyrighted works, won't let you upload them. That part was easy.
Just invert the video color, and flip it upside down. Then the lua script for VLC would de-invert and unflip it. And I could even bring in the audio from another site (VLC allows muxing), since Youtube uses audio signatures more than they do video signatures for that stuff.
I had a prototype going for awhile. Called it "Space Potato Channel". It just played videos others had uploaded (wrote a little backend to schedule movies). If you tuned in 5 minutes late, it'd show the video 5 minutes in, etc. Then I learned about how the NSA was giving tips to law enforcement and doing the parallel reconstruction thing, and I reconsidered my scheme to become a bitcoin millionaire.
Long story short, gmail accounts were never something I thought would be much of a problem.
Or you can go to "account brokers" who sell accounts for something like $20/1000. Reliability of those accounts varies per broker but some I understand to be quite good (never bought any myself).
Hang out on any blackhat SEO forum (or more illegal carding shops, etc. I would imagine) and you'll see plenty of guys peddling this service.
Incidentally, the youtube method you're describing has been automated many times. My first real PHP project was a script that found popular videos on non-youtube sites, downloaded them, watermarked them with my blog URL, and uploaded them to youtube. That resulted in a fair amount of direct traffic.
If you trawl around youtube these days you'll see plenty of watermarked videos that are clearly not original content. But as long as nobody is claiming copyright -- which nobody is doing for cat videos -- Google doesn't give a shit. Honestly, uploading non-original videos to Youtube only helps their numbers.
I think a common misconception is that companies care about fake/"spam" user accounts on their services. But what incentive do they actually have to ban them? In the world of venture capital, user numbers are an incredibly important metric, so as long as they aren't actively diluting the service for other users, companies have an incentive to allow them to propagate and pad their stats.
Take Snapchat for example. Looking at my friend request page, I have dozens of obviously spam accounts asking to be my friends. Is Snapchat including these accounts in their user numbers? Almost definitely. In fact, they probably even count as "active users" because they are "sharing photos" so often!
One has to wonder how many popular services have been built on VC money given to them on the presumption of accurate user statistics, when in reality 20-30% of accounts could be shills. Snapchat, Twitter, Facebook... There are tons of fake users on all of them, and yet these companies make relatively little effort to exclude them from stats (except, of course, when reporting monetization per user).
No that can't be true. I don't have a mobile phone currently and surely have sent more than 50 messages from a gmail address which has never been linked. And i'm sure plenty of other users, especially children and teens, use gmail addresses without ever linking to a phone number for two-step verification as well.
> It's interesting that gmail is the least likely used for fraud, why is that?
I spent several years working on the Gmail abuse team. Gmail is used less for fraud than other providers because we were better at fighting abuse than our competitors: as simple as that. Yahoo had a rather hollowed out abuse team for a long time, from what I understand, they didn't invest in it at all. And I think at Microsoft the Hotmail and Passport (i.e. login system) teams were much more compartmentalised than we were inside Google. At least this is what I heard on the grapevine, though I have no clue if it's accurate.
Google does many, many things to combat abuse of Gmail accounts. There's no silver bullet, it's not as simple as "Google phone verifies every account" (it does not and never has), or "if you send more than X messages you get Y". The abuse system is a massively complex pile of interlocking systems, analyses and heuristics.
You can get a good readout of how various teams at the different companies do here:
As you can see currently Outlook.com accounts currently sell for $10 per thousand. Gmail accounts are about $100 per thousand, an order of magnitude more expensive. Getting higher than that is very difficult against good opponents (and the guy who runs buyaccs.com is good, although these days he acts more as a reseller than an account creator himself). The reason is, at these prices it's feasible to simply phone verify every single account by hand using cheap SIM cards. Google does terminate accounts that have phone verified - it's just one more signal - but it's one of the best ones and so it becomes significantly more dangerous when spammers are phone verifying in bulk. In practice it's not a big deal because $100 per thousand is high enough that many business models (like simple spamming) become unprofitable.
As an example of techniques Google uses: machine learning, manually written logic, real time statistics, randomly generated and obfuscated signal gathering Javascripts, offline clustering pipelines and a team of people with big screens around their office with lots of graphs on them. Those people keep an eye on the system around the clock and if they see e.g. an unexplained spike in account creations then they will manually investigate what was going on. They are very good at quickly identifying mistakes made by account creators and clustering the accounts by hand.
VPN traffic would also be an interesting metric.