SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
On 6/30/21 11:30 AM, Sean Donelan wrote:
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
Just because you can know (fsvo "know") that a call is allowed to assert a number doesn't change anything unless other actions are taken. With DKIM which is far simpler than STIR it would require reputation systems that don't seem to have been deployed, submission auth which thankfully was deployed, policy enforcement (ie ADSP) which is not deployed, and user indicators which are sporadically deployed. Given the giant security holes caused by solving the wrong problem (ie trying to authenticate the e.164 address rather than the originating domain) it's just going to push spammers to exploit those holes. It's very much to be seen whether victory can be declared, IMO. Mike
On 6/30/21 2:56 PM, Michael Thomas wrote:
Just because you can know (fsvo "know") that a call is allowed to assert a number doesn't change anything unless other actions are taken. With DKIM which is far simpler than STIR it would require reputation systems that don't seem to have been deployed, submission auth which thankfully was deployed, policy enforcement (ie ADSP) which is not deployed, and user indicators which are sporadically deployed.
In any indication, the carrier closest to the originator is signing the call metadata with their digital certificate. While this won't mean much to the active user, for those tracking down robocalls, this is the holy grail - finding the carrier who is letting the calls into the network and being able to reach out to them to stop the abusive/illegal traffic. That it might say we've taken the time to verify the end user is who they say they are is just icing on the cake. The goal is to make the calls accountable to someone, which despite the patchwork of systems in the US that might prevent the signature from coming through, can help a lot since the biggest wholesalers have implemented it (Inteliquent and Lumen among many others) The other big deal is that now all carriers are actually expected to police their network for spoofed callers who are exhibiting robocalling behavior. This is a big deal! For the first time, carriers are going to be held responsible for proactively finding the abuse, and showing what their plans are to do such a thing, and sharing information with each other (via the FCC) who can be contacted to chase down robocall traffic if another carrier sees it.
Given the giant security holes caused by solving the wrong problem (ie trying to authenticate the e.164 address rather than the originating domain) it's just going to push spammers to exploit those holes. It's very much to be seen whether victory can be declared, IMO.
Fortunately, positive identification of the caller isn't the intent. Preventing people from pretending to be the IRS is the intent. -Paul
On 6/30/21 12:17 PM, Paul Timmins wrote:
On 6/30/21 2:56 PM, Michael Thomas wrote:
Just because you can know (fsvo "know") that a call is allowed to assert a number doesn't change anything unless other actions are taken. With DKIM which is far simpler than STIR it would require reputation systems that don't seem to have been deployed, submission auth which thankfully was deployed, policy enforcement (ie ADSP) which is not deployed, and user indicators which are sporadically deployed.
In any indication, the carrier closest to the originator is signing the call metadata with their digital certificate. While this won't mean much to the active user, for those tracking down robocalls, this is the holy grail - finding the carrier who is letting the calls into the network and being able to reach out to them to stop the abusive/illegal traffic.
As I said, STIR solved the wrong problem. I know domains as a user. I have no clue about e.164 address ranges. Also: this is 2021 and e.164 address need to go the way of the dodo. From an automated standpoint, I really don't care about whether a phone number is authentic, I care about the domain that onramped it so I can theoretically punish it. It's the people who are allowing the spoofing that is the real problem which directly analogous to email open relays. Also: reputation is nice in theory but I am dubious that it is deployed in reality. Given the entire ARC farce which was driven by Google -- who owns gmail -- to supposedly "solve" the mailing list traversal problem but boils down to a reputation system, that strongly suggests that they don't have one either. I'm not sure why we should be optimistic about that for STIR which solves for a much harder problem which is inherently not entirely secure given SS7 gateways.
That it might say we've taken the time to verify the end user is who they say they are is just icing on the cake. The goal is to make the calls accountable to someone, which despite the patchwork of systems in the US that might prevent the signature from coming through, can help a lot since the biggest wholesalers have implemented it (Inteliquent and Lumen among many others)
The other big deal is that now all carriers are actually expected to police their network for spoofed callers who are exhibiting robocalling behavior. This is a big deal! For the first time, carriers are going to be held responsible for proactively finding the abuse, and showing what their plans are to do such a thing, and sharing information with each other (via the FCC) who can be contacted to chase down robocall traffic if another carrier sees it.
I'm not trying to say that it's not a good thing to have authentication, but as implemented by STIR it's ridiculously more complex than it needed to be had they chosen the right problem to solve which is to know the domain that is onramping the call. This could have been trivially rolled out a decade ago and I even experimented DKIM signing SIP message about 15 years ago. It's never been entirely clear whether DKIM was the impetus for cleaning up open relays. I'd like to think it was, but the more likely explanation was that it was in the water at the time. The FCC could have at any time just clamped down on that from a regulatory standpoint without going to all of the rigamarole of STIR. Email doesn't have a similar regulatory body to lean on so we had to take it into our own hands.
Given the giant security holes caused by solving the wrong problem (ie trying to authenticate the e.164 address rather than the originating domain) it's just going to push spammers to exploit those holes. It's very much to be seen whether victory can be declared, IMO.
Fortunately, positive identification of the caller isn't the intent. Preventing people from pretending to be the IRS is the intent.
e.164 addresses don't allow me to know if something is from the IRS. irs.gov does. Also, papers have shown that UI identification is a net positive which is a shame given how sporadically they are done and how inconsistent the UI's are. If they were widespread it would probably much better. Mike
On Wednesday, 30 June, 2021 13:53, Michael Thomas <mike@mtcc.com> wrote:
From an automated standpoint, I really don't care about whether a phone number is authentic, I care about the domain that onramped it so I can theoretically punish it. It's the people who are allowing the spoofing that is the real problem which directly analogous to email open relays.
And this is why this problem will not be solved. The "open relay" is making money from processing the calls, and the end carrier is making money for terminating them. Until fine(s) -- hopefully millions of them, one for each improperly terminated call, together with jail time for the CEO of the company for "conspiracy to commit fraud" -- and EACH of the fines is EQUAL OR GREATER than the total yearly worldwide REVENUE of that end carrier, they will not have any impetus to "fix" the problem. If a law were passed that imposed a $1 million penalty payable by the terminating carrier to each subscriber for each such call a subscriber received together with a term of 1 year imprisonment at hard labour for the CEO of the terminating carrier, the whole issue would be fixed before lunch-time. THe motivated self-interest however, is to do nothing. Eventually someone will bring a racketeering claim against the terminating carriers and they will then be properly "motivated" to stop profiteering off criminal activity. -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision.
On 7/1/21 3:53 PM, Keith Medcalf wrote:
And this is why this problem will not be solved. The "open relay" is making money from processing the calls, and the end carrier is making money for terminating them. Until fine(s) -- hopefully millions of them, one for each improperly terminated call, together with jail time for the CEO of the company for "conspiracy to commit fraud" -- and EACH of the fines is EQUAL OR GREATER than the total yearly worldwide REVENUE of that end carrier, they will not have any impetus to "fix" the problem.
How about 47 CFR 64.1200(k)(4)? (4) A provider may block voice calls or cease to accept traffic from an originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> without liability under the Communications Act or the Commission's rules where the originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200>, when notified by the Commission, fails to effectively mitigate illegal traffic within 48 hours or fails to implement effective measures to prevent new and renewing customers <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=53789aafb18c69f4ad1df8f063611a51&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> from using its network to originate illegal calls. Prior to initiating blocking, the provider shall provide the Commission with notice and a brief summary of the basis for its determination that the originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> meets one or more of these two conditions for blocking. ie: "You're not really a phone company anymore, says the rest of the PSTN" https://www.law.cornell.edu/cfr/text/47/64.1200
On 7/1/21 1:05 PM, Paul Timmins wrote:
On 7/1/21 3:53 PM, Keith Medcalf wrote:
And this is why this problem will not be solved. The "open relay" is making money from processing the calls, and the end carrier is making money for terminating them. Until fine(s) -- hopefully millions of them, one for each improperly terminated call, together with jail time for the CEO of the company for "conspiracy to commit fraud" -- and EACH of the fines is EQUAL OR GREATER than the total yearly worldwide REVENUE of that end carrier, they will not have any impetus to "fix" the problem.
How about 47 CFR 64.1200(k)(4)?
(4) A provider may block voice calls or cease to accept traffic from an originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> without liability under the Communications Act or the Commission's rules where the originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200>, when notified by the Commission, fails to effectively mitigate illegal traffic within 48 hours or fails to implement effective measures to prevent new and renewing customers <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=53789aafb18c69f4ad1df8f063611a51&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> from using its network to originate illegal calls. Prior to initiating blocking, the provider shall provide the Commission with notice and a brief summary of the basis for its determination that the originating or intermediate provider <https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=643618fc7955a6798d0c07a136e40fef&term_occur=999&term_src=Title:47:Chapter:I:Subchapter:B:Part:64:Subpart:L:64.1200> meets one or more of these two conditions for blocking.
ie: "You're not really a phone company anymore, says the rest of the PSTN"
Those who fail to understand the Usenet Death Penalty are doomed to (not) repeat it. Mike
On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf <kmedcalf@dessus.com> wrote:
... and the end carrier is making money for terminating them.
Survey (of n=1) says: nothing has changed, aka the new technology is not working. I just received the same kind of recorded message call of "something something renew auto warranty" on my AT&T u-Verse line. This time when I called back the displayed caller ID number it was ring-no-answer, versus the previous "you have reached a number that is no longer in service". By terminating the call the carrier made probably more money than it would cost them to enforce the new rules. Other than the donotcall.gov portal, is there a new way to report the obvious failure of STIR/SHAKEN? -andreas
Not all have implemented it yet. But if you haven't. You were supposed to implement some kind of robo calling mitigation plan (Or atleast certify that you have one). At $dayjob we're fully deployed (inbound and outbound). I received my first ever STIR/SHAKEN signed (iPhone Check mark, highly scientific) spam call on my personal Cell phone on 6/30. It was a Telnyx number. Had the call terminated to $dayjob network. I fully would have collected all various information and ticketed it with Telnyx. Time will tell how truly effective this is. But we have better originating information now (breadcrumbs) to follow back to the source. On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas@naund.org> wrote:
On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf <kmedcalf@dessus.com> wrote:
... and the end carrier is making money for terminating them.
Survey (of n=1) says: nothing has changed, aka the new technology is not working. I just received the same kind of recorded message call of "something something renew auto warranty" on my AT&T u-Verse line. This time when I called back the displayed caller ID number it was ring-no-answer, versus the previous "you have reached a number that is no longer in service". By terminating the call the carrier made probably more money than it would cost them to enforce the new rules.
Other than the donotcall.gov portal, is there a new way to report the obvious failure of STIR/SHAKEN?
-andreas
Fun part is that just because it's a telnyx number with a checkmark, it doesn't mean the call came from Telnyx, just that the call came from a carrier that gave the call attestation A. As the carrier, we can see who signed the call (it's an x509 certificate, signed by the STI-PA, with the carrier's name and OCN in it) and hold them accountable for the traffic, which is huge. But that's where the confusion will lie - a customer might say well this is a verizon wireless number, i'll yell at them! But the actual call came in through Lumen, and they're the ones who can stop it. A carrier can see the cert, but you can just get the verstat flag from the P-Asserted-Identity field in the call to the handset and see that it passed the tests for attestation A. Just because you don't see a checkmark doesn't mean signatures aren't happening. Attestation B and C aren't displayed on the handset (but are seen in the carrier's systems) and most androids don't have a way to display stir/shaken stuff yet. T-Mobile doesn't send the verstat header to handsets they don't verify as s/s compliant (usually only ones they sell). My trick was to sim swap into an iphone for a day, then back to my android which started displaying the verification after that. It's all new, but just because you don't see it doesn't mean it's not there. Report the calls to your carrier, they have new tools to track down the misbehavior. On 7/2/21 8:32 AM, Nick Olsen wrote:
Not all have implemented it yet. But if you haven't. You were supposed to implement some kind of robo calling mitigation plan (Or atleast certify that you have one). At $dayjob we're fully deployed (inbound and outbound).
I received my first ever STIR/SHAKEN signed (iPhone Check mark, highly scientific) spam call on my personal Cell phone on 6/30. It was a Telnyx number. Had the call terminated to $dayjob network. I fully would have collected all various information and ticketed it with Telnyx.
Time will tell how truly effective this is. But we have better originating information now (breadcrumbs) to follow back to the source.
On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas@naund.org <mailto:andreas@naund.org>> wrote:
On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf <kmedcalf@dessus.com <mailto:kmedcalf@dessus.com>> wrote:
... and the end carrier is making money for terminating them.
Survey (of n=1) says: nothing has changed, aka the new technology is not working. I just received the same kind of recorded message call of "something something renew auto warranty" on my AT&T u-Verse line. This time when I called back the displayed caller ID number it was ring-no-answer, versus the previous "you have reached a number that is no longer in service". By terminating the call the carrier made probably more money than it would cost them to enforce the new rules.
Other than the donotcall.gov <http://donotcall.gov> portal, is there a new way to report the obvious failure of STIR/SHAKEN?
-andreas
People who are actually interested in this subject are well advised to read this thoroughly because it equally applies to SIP spam with a system far less complex and far fewer gaping security holes as STIR. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf Mike On 7/2/21 8:54 AM, Paul Timmins wrote:
Fun part is that just because it's a telnyx number with a checkmark, it doesn't mean the call came from Telnyx, just that the call came from a carrier that gave the call attestation A. As the carrier, we can see who signed the call (it's an x509 certificate, signed by the STI-PA, with the carrier's name and OCN in it) and hold them accountable for the traffic, which is huge.
But that's where the confusion will lie - a customer might say well this is a verizon wireless number, i'll yell at them! But the actual call came in through Lumen, and they're the ones who can stop it. A carrier can see the cert, but you can just get the verstat flag from the P-Asserted-Identity field in the call to the handset and see that it passed the tests for attestation A.
Just because you don't see a checkmark doesn't mean signatures aren't happening. Attestation B and C aren't displayed on the handset (but are seen in the carrier's systems) and most androids don't have a way to display stir/shaken stuff yet. T-Mobile doesn't send the verstat header to handsets they don't verify as s/s compliant (usually only ones they sell). My trick was to sim swap into an iphone for a day, then back to my android which started displaying the verification after that.
It's all new, but just because you don't see it doesn't mean it's not there. Report the calls to your carrier, they have new tools to track down the misbehavior.
On 7/2/21 8:32 AM, Nick Olsen wrote:
Not all have implemented it yet. But if you haven't. You were supposed to implement some kind of robo calling mitigation plan (Or atleast certify that you have one). At $dayjob we're fully deployed (inbound and outbound).
I received my first ever STIR/SHAKEN signed (iPhone Check mark, highly scientific) spam call on my personal Cell phone on 6/30. It was a Telnyx number. Had the call terminated to $dayjob network. I fully would have collected all various information and ticketed it with Telnyx.
Time will tell how truly effective this is. But we have better originating information now (breadcrumbs) to follow back to the source.
On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas@naund.org <mailto:andreas@naund.org>> wrote:
On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf <kmedcalf@dessus.com <mailto:kmedcalf@dessus.com>> wrote:
... and the end carrier is making money for terminating them.
Survey (of n=1) says: nothing has changed, aka the new technology is not working. I just received the same kind of recorded message call of "something something renew auto warranty" on my AT&T u-Verse line. This time when I called back the displayed caller ID number it was ring-no-answer, versus the previous "you have reached a number that is no longer in service". By terminating the call the carrier made probably more money than it would cost them to enforce the new rules.
Other than the donotcall.gov <http://donotcall.gov> portal, is there a new way to report the obvious failure of STIR/SHAKEN?
-andreas
This should help with Robo calls a lot. -----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org Subject: SITR/SHAKEN implementation in effect today (June 30 2021) STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
All I know is that I am getting a lot fewer bogus calls on my cell phone than I was this time last month. On Fri, Jul 9, 2021, 06:17 Ryan Finnesey via NANOG <nanog@nanog.org> wrote:
This should help with Robo calls a lot.
-----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org Subject: SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
-- Like us on Social Media for News, Promotions, and other information!! <https://www.facebook.com/SCTCWEB/> <https://www.instagram.com/sctc_sctc/> <https://www.yelp.com/biz/sctc-stayton-3> <https://www.youtube.com/c/sctcvideos> _**** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****_
Subjectively speaking, I'm still getting the same amount of spam phone calls. I'm certainly getting a lot more spam SMS to my cell. Almost all of them in my entire life starting July 1... Josh Luthman 24/7 Help Desk: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Jul 9, 2021 at 9:40 AM Jeff Shultz <jeffshultz@sctcweb.com> wrote:
All I know is that I am getting a lot fewer bogus calls on my cell phone than I was this time last month.
On Fri, Jul 9, 2021, 06:17 Ryan Finnesey via NANOG <nanog@nanog.org> wrote:
This should help with Robo calls a lot.
-----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org Subject: SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
Like us on Social Media for News, Promotions, and other information!!
<https://www.facebook.com/SCTCWEB/> [image: https://www.instagram.com/sctc_sctc/] <https://www.instagram.com/sctc_sctc/> <https://www.yelp.com/biz/sctc-stayton-3> <https://www.youtube.com/c/sctcvideos>
**** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****
I’m getting the same or more, but did anyone really expect they would stop July 1? It will take time for complaints to be tracked down and operators to take actions, right? Brandon On Fri, Jul 9, 2021 at 6:49 AM Josh Luthman <josh@imaginenetworksllc.com> wrote:
Subjectively speaking, I'm still getting the same amount of spam phone calls.
I'm certainly getting a lot more spam SMS to my cell. Almost all of them in my entire life starting July 1...
Josh Luthman 24/7 Help Desk: 937-552-2340 Direct: 937-552-2343 1100 Wayne St <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Suite 1337 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Troy, OH 45373 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g>
On Fri, Jul 9, 2021 at 9:40 AM Jeff Shultz <jeffshultz@sctcweb.com> wrote:
All I know is that I am getting a lot fewer bogus calls on my cell phone than I was this time last month.
On Fri, Jul 9, 2021, 06:17 Ryan Finnesey via NANOG <nanog@nanog.org> wrote:
This should help with Robo calls a lot.
-----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org Subject: SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
-- Brandon Svec 15106862204 ☎️ or 💬
Nothing has changed for me either. Color me surprised. The real proof will be to see if the originating domain can be determined, and whether the receiving domain does anything about it. Mike On 7/9/21 9:42 AM, Brandon Svec via NANOG wrote:
I’m getting the same or more, but did anyone really expect they would stop July 1? It will take time for complaints to be tracked down and operators to take actions, right?
Brandon
On Fri, Jul 9, 2021 at 6:49 AM Josh Luthman <josh@imaginenetworksllc.com <mailto:josh@imaginenetworksllc.com>> wrote:
Subjectively speaking, I'm still getting the same amount of spam phone calls.
I'm certainly getting a lot more spam SMS to my cell. Almost all of them in my entire life starting July 1...
Josh Luthman 24/7 Help Desk: 937-552-2340 Direct: 937-552-2343 1100 Wayne St <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Suite 1337 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Troy, OH 45373 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g>
On Fri, Jul 9, 2021 at 9:40 AM Jeff Shultz <jeffshultz@sctcweb.com <mailto:jeffshultz@sctcweb.com>> wrote:
All I know is that I am getting a lot fewer bogus calls on my cell phone than I was this time last month.
On Fri, Jul 9, 2021, 06:17 Ryan Finnesey via NANOG <nanog@nanog.org <mailto:nanog@nanog.org>> wrote:
This should help with Robo calls a lot.
-----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org <mailto:conovence.com@nanog.org>> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org <mailto:nanog@nanog.org> Subject: SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today <https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today>
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
-- Brandon Svec 15106862204 ☎️ or 💬
On Fri, 9 Jul 2021, Michael Thomas wrote:
Nothing has changed for me either. Color me surprised. The real proof will be to see if the originating domain can be determined, and whether the receiving domain does anything about it.
Why would they do anything? The traffic is revenue. What is the FCC going to do other than write mean letters? -Dan
Nothing will change immediately. Having said that, I do expect that we will see much more effective enforcement. The investigations will come from the ITG (Industry Traceback Group) with enforcement coming from FCC or FTC depending on the actual offense. The problem has been that it's been far too easy for robocalling companies to hop from one telecom provider to another. Now there are requirements around "know your customer" that telecom operators have to follow and the ITG will have a much better chance of figuring out who the bad actor is than they have in the past. Longer term I worry that this will lead to more attacks on PBXs, eSBCs, and VOIP handsets to be able to call either from that endpoint itself or be able to use the SIP credentials. The market for robocalls will certainly not disappear. Scott Helms On Fri, Jul 9, 2021 at 1:07 PM Michael Thomas <mike@mtcc.com> wrote:
Nothing has changed for me either. Color me surprised. The real proof will be to see if the originating domain can be determined, and whether the receiving domain does anything about it.
Mike On 7/9/21 9:42 AM, Brandon Svec via NANOG wrote:
I’m getting the same or more, but did anyone really expect they would stop July 1? It will take time for complaints to be tracked down and operators to take actions, right?
Brandon
On Fri, Jul 9, 2021 at 6:49 AM Josh Luthman <josh@imaginenetworksllc.com> wrote:
Subjectively speaking, I'm still getting the same amount of spam phone calls.
I'm certainly getting a lot more spam SMS to my cell. Almost all of them in my entire life starting July 1...
Josh Luthman 24/7 Help Desk: 937-552-2340 Direct: 937-552-2343 1100 Wayne St <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Suite 1337 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g> Troy, OH 45373 <https://www.google.com/maps/search/1100+Wayne+St+Suite+1337+Troy,+OH+45373?entry=gmail&source=g>
On Fri, Jul 9, 2021 at 9:40 AM Jeff Shultz <jeffshultz@sctcweb.com> wrote:
All I know is that I am getting a lot fewer bogus calls on my cell phone than I was this time last month.
On Fri, Jul 9, 2021, 06:17 Ryan Finnesey via NANOG <nanog@nanog.org> wrote:
This should help with Robo calls a lot.
-----Original Message----- From: NANOG <nanog-bounces+ryan.finnesey=conovence.com@nanog.org> On Behalf Of Sean Donelan Sent: Wednesday, June 30, 2021 2:31 PM To: nanog@nanog.org Subject: SITR/SHAKEN implementation in effect today (June 30 2021)
STIR/SHAKEN Broadly Implemented Starting Today https://www.fcc.gov/document/stirshaken-broadly-implemented-starting-today
WASHINGTON, June 30, 2021—FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors. The STIR/SHAKEN standards serve as a common digital language used by phone networks, allowing valid information to pass from provider to provider which, among other things, informs blocking tools of possible suspicious calls.
-- Brandon Svec 15106862204 ☎️ or 💬
On 7/9/21 1:36 PM, K. Scott Helms wrote:
Nothing will change immediately. Having said that, I do expect that we will see much more effective enforcement. The investigations will come from the ITG (Industry Traceback Group) with enforcement coming from FCC or FTC depending on the actual offense. The problem has been that it's been far too easy for robocalling companies to hop from one telecom provider to another. Now there are requirements around "know your customer" that telecom operators have to follow and the ITG will have a much better chance of figuring out who the bad actor is than they have in the past.
The thing is that that shouldn't have been held up by rolling out STIR. With email, there was nothing akin to the FCC so it was really the only name-and-shame stick we had. This could have been done years ago.
Longer term I worry that this will lead to more attacks on PBXs, eSBCs, and VOIP handsets to be able to call either from that endpoint itself or be able to use the SIP credentials. The market for robocalls will certainly not disappear.
A meta question that really needs to be asked these days is why we even need telco telephony anymore. A lot of problems go away if you are not in thrall to 100 year old technology and its accreted kruft. Mike
On Fri, Jul 9, 2021 at 4:47 PM Michael Thomas <mike@mtcc.com> wrote:
On 7/9/21 1:36 PM, K. Scott Helms wrote:
Nothing will change immediately. Having said that, I do expect that we will see much more effective enforcement. The investigations will come from the ITG (Industry Traceback Group) with enforcement coming from FCC or FTC depending on the actual offense. The problem has been that it's been far too easy for robocalling companies to hop from one telecom provider to another. Now there are requirements around "know your customer" that telecom operators have to follow and the ITG will have a much better chance of figuring out who the bad actor is than they have in the past.
The thing is that that shouldn't have been held up by rolling out STIR. With email, there was nothing akin to the FCC so it was really the only name-and-shame stick we had. This could have been done years ago.
It wouldn't work the same and I say that as someone who ran email for ISPs for decades and just got done with a STIR/SHAKEN implementation. There's far more money in robocalls than there ever has been in spam. The other thing is that the technologies are fundamentally different. Don't get me wrong, there are parallels, but comparing email to the various flavors of telephony (POTS, SIP, MGCP, H.323, etc) isn't all that useful because they're so different. When I get an email as a provider I can always figure out the path it took to get to me. The same is not at all true for a call, though I can trace it to a degree via the CDRs from carriers I work with. Much of the call path will be opaque and often in the case of robocallers it's intentionally so. Number porting is another (big) difference. We could always choose to forward email for a customer who left our service, but imagine if email literally let that person take their address with them regardless of who was providing the hosting for the email.
Longer term I worry that this will lead to more attacks on PBXs, eSBCs, and VOIP handsets to be able to call either from that endpoint itself or be able to use the SIP credentials. The market for robocalls will certainly not disappear.
A meta question that really needs to be asked these days is why we even need telco telephony anymore. A lot of problems go away if you are not in thrall to 100 year old technology and its accreted kruft.
Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7. tl;dr You can no more get rid of telephone companies than you can get rid of ISPs.
Mike
On Friday, 9 July, 2021 16:32, K. Scott Helms wrote:
Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7.
The root of the problem is that the "Caller ID" is not a "Caller ID". If there were a requirement for "truth in advertizing" it would properly be called the "Caller Advertizement" because it is primarily intended as an advertizement by the caller, and not an ID of the caller. -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision.
On 7/9/21 3:44 PM, Keith Medcalf wrote:
On Friday, 9 July, 2021 16:32, K. Scott Helms wrote: Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7. The root of the problem is that the "Caller ID" is not a "Caller ID". If there were a requirement for "truth in advertizing" it would properly be called the "Caller Advertizement" because it is primarily intended as an advertizement by the caller, and not an ID of the caller.
The assumption back around 2004 was that P-Asserted-ID would be an old boys network to the end and get told to buzz off when I complained that it wouldn't. This was trivially foreseeable back then and it played it the most ridiculously foreseeable way. Mike
No, the root of the problem is the telcos making billions on these robocalls. Make that illegal, start fining them billions (whatever it takes), and it will stop. We've already had this discussion on nanog, recently, and people who were in that business stood up to affirm that yes indeed-y they're (telcos) making big buck$ on these robocalls. If you doubt that (the usual "I don't actually know a thing about it but I want to say here that I'd rather not live in a world where that's true so I'll make some vague analogy to email spam etc") I suggest you start making thousands of phone calls per hour and tell us how it works out. Telcos aren't email systems, they know every phone call terminating and originating on their systems and they do detail billing. When was the last time you made even one billable call and they missed it? Telcos have often been described as vast detailed billing systems with a voice (etc) feature attached. But they sure are taking advantage of the public's belief that this is all somehow out of their control. Nope. On July 9, 2021 at 16:44 kmedcalf@dessus.com (Keith Medcalf) wrote:
On Friday, 9 July, 2021 16:32, K. Scott Helms wrote:
Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7.
The root of the problem is that the "Caller ID" is not a "Caller ID". If there were a requirement for "truth in advertizing" it would properly be called the "Caller Advertizement" because it is primarily intended as an advertizement by the caller, and not an ID of the caller.
-- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision.
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 7/10/21 12:09 PM, bzs@theworld.com wrote:
No, the root of the problem is the telcos making billions on these robocalls. Make that illegal, start fining them billions (whatever it takes), and it will stop.
We've already had this discussion on nanog, recently, and people who were in that business stood up to affirm that yes indeed-y they're (telcos) making big buck$ on these robocalls.
If you doubt that (the usual "I don't actually know a thing about it but I want to say here that I'd rather not live in a world where that's true so I'll make some vague analogy to email spam etc") I suggest you start making thousands of phone calls per hour and tell us how it works out.
Telcos aren't email systems, they know every phone call terminating and originating on their systems and they do detail billing. When was the last time you made even one billable call and they missed it?
Telcos have often been described as vast detailed billing systems with a voice (etc) feature attached.
But they sure are taking advantage of the public's belief that this is all somehow out of their control. Nope.
The cynic in me would say that STIR was a 10 year long way to delay cutting off the gravy train that could have been done simply by regulation. Mike
On 7/9/21 3:32 PM, K. Scott Helms wrote:
On Fri, Jul 9, 2021 at 4:47 PM Michael Thomas <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
On 7/9/21 1:36 PM, K. Scott Helms wrote: > Nothing will change immediately. Having said that, I do expect that > we will see much more effective enforcement. The investigations will > come from the ITG (Industry Traceback Group) with enforcement > coming from FCC or FTC depending on the actual offense. The problem > has been that it's been far too easy for robocalling companies to hop > from one telecom provider to another. Now there are requirements > around "know your customer" that telecom operators have to follow and > the ITG will have a much better chance of figuring out who the bad > actor is than they have in the past.
The thing is that that shouldn't have been held up by rolling out STIR. With email, there was nothing akin to the FCC so it was really the only name-and-shame stick we had. This could have been done years ago.
It wouldn't work the same and I say that as someone who ran email for ISPs for decades and just got done with a STIR/SHAKEN implementation. There's far more money in robocalls than there ever has been in spam. The other thing is that the technologies are fundamentally different. Don't get me wrong, there are parallels, but comparing email to the various flavors of telephony (POTS, SIP, MGCP, H.323, etc) isn't all that useful because they're so different. When I get an email as a provider I can always figure out the path it took to get to me. The same is not at all true for a call, though I can trace it to a degree via the CDRs from carriers I work with. Much of the call path will be opaque and often in the case of robocallers it's intentionally so. Number porting is another (big) difference. We could always choose to forward email for a customer who left our service, but imagine if email literally let that person take their address with them regardless of who was providing the hosting for the email.
Once it hits a SIP gateway it's pretty much the same. The thing that I think that made the made the biggest -- and this coming from one of the inventors of DKIM -- was shutting down open relays. With email there was no back pressure on ESP's to close them so DKIM was at least a way to name and shame, or at least that was one of the goals at least in my mind. It's hard to say whether there was actually cause and effect, but the reality now is that open relays are pretty much gone -- at least with ESP's. I was one of the early Cassandras telling people that P-Asserted-Identity was going to lead to exactly what has happened for which I got told I was wrong, and then threw up my hands and went and worked on email. This could have been dealt with 15 years ago and it could have trivially piggybacked off of the DKIM work -- heck I even hacked a SIP stack to prove the point. And it should have learned the lessons with email which it apparently has not because the 9th of July don't seem any different than the 30th of June. Also: since there are PSTN gateways which fundamentally can't be secured spammers will take advantage of the holes as they become economically viable. The entire scheme of attesting for e.164 addresses was a complete waste of time. The problem is with the SIP gateway that onramps the bogus calls not whether somebody should be able to assert a given address real time. Those onramps could have taken those measures a decade ago but didn't just like the open email sewers before requiring submission auth. I think that Peterson has some other wacky shit to make PSTN gateway traversal better, turning a Rube Goldberg contraption into something even worse. The entire thing is madness with its complexity but I would expect nothing less from the SIP WG.
> Longer term I worry that this will lead to more attacks on PBXs, > eSBCs, and VOIP handsets to be able to call either from that endpoint > itself or be able to use the SIP credentials. The market for robocalls > will certainly not disappear. > A meta question that really needs to be asked these days is why we even need telco telephony anymore. A lot of problems go away if you are not in thrall to 100 year old technology and its accreted kruft.
Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7.
I'm not speaking about PSTN qua PSTN/SS7, etc. I'm speaking about being shackled to an architecture that isn't relevant today. The bellheadedness of STIR is frightening: they actually scrape SIP From: addresses and have a regex to determine if it's a telephone number. People don't use telephone numbers for anything but phones, and all of the rest is email addresses. There is fundamentally nothing stopping SIP From: mike@mtcc.com be how reach me. STIR leaves that use case in limbo: I've never been able to get a straight answer about it, which means in reality it's not supported. I'd actually like that quite a bit more especially since it would make it difficult right off the bat to spoof my domain vs. spoofing area codes. Doubly so for spear phishing. We already know how to do federation: email. There is just no justification for keeping the legacy PSTN kruft, and even worse wagging the dog. Mike, Cassandra to the end
On Fri, 9 Jul 2021, K. Scott Helms wrote:
Nothing will change immediately. Having said that, I do expect that we will see much more effective enforcement. The investigations will come from the ITG (Industry Traceback Group) with enforcement coming from FCC or FTC depending on the actual offense. The problem has been that it's been far too easy for robocalling companies to hop from one telecom provider to another. Now there are requirements around "know your customer" that telecom operators have to follow and the ITG will have a much better chance of figuring out who the bad actor is than they have in the past. Longer term I worry that this will lead to more attacks on PBXs, eSBCs, and VOIP handsets to be able to call either from that endpoint itself or be able to use the SIP credentials. The market for robocalls will certainly not disappear.
until there is enforcement there will be no changes. enforcement means more than just sternly worded letters. robocalls won't stop until the perps go to prison. -Dan
participants (13)
-
Andreas Ott
-
Brandon Svec
-
bzs@theworld.com
-
goemon@sasami.anime.net
-
Jeff Shultz
-
Josh Luthman
-
K. Scott Helms
-
Keith Medcalf
-
Michael Thomas
-
Nick Olsen
-
Paul Timmins
-
Ryan Finnesey
-
Sean Donelan