Honestly our findings from working at scale (Facebook, Google, Twitter, Discord, Reddit, ...) were actually the opposite.
With hand written (not arbitrary) rules it's easier to understand the intent of the attacker and build a system that they can't work around because we're blocking them at their source of income. Sure they can figure out how to post messages but unless they can include their link/payload/etc it's not worth their time.
Machine learning defences are definitely a part of what we did, but they're slower to respond to attacks and generally easier to work around.
As someone who has personally battled such adversaries, I call bullshit on that. People with a financial incentive to spam in a user discussion environment are able to change pretty much every letter of their message if necessary.
With hand written (not arbitrary) rules it's easier to understand the intent of the attacker and build a system that they can't work around because we're blocking them at their source of income. Sure they can figure out how to post messages but unless they can include their link/payload/etc it's not worth their time.
Machine learning defences are definitely a part of what we did, but they're slower to respond to attacks and generally easier to work around.