FCC proposes $10 Million fine for spoofed robocalls
On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call. https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shak... Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls. https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-rob... A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election. I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction. While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).
It is so bad that I am not above us bribing politicians in foreign countries to crack down on this. On Thu, Dec 12, 2019 at 3:37 PM Sean Donelan <sean@donelan.com> wrote:
On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call.
https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shak...
Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls.
https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-rob...
A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election.
I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction.
While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).
Would be nice to have these stopped. I received 10 of them yesterday, pretending to be apple icloud support From: NANOG <nanog-bounces@nanog.org> On Behalf Of Javier J Sent: Wednesday, December 18, 2019 8:38 PM To: Sean Donelan <sean@donelan.com> Cc: nanog <nanog@nanog.org> Subject: Re: FCC proposes $10 Million fine for spoofed robocalls It is so bad that I am not above us bribing politicians in foreign countries to crack down on this. On Thu, Dec 12, 2019 at 3:37 PM Sean Donelan <sean@donelan.com<mailto:sean@donelan.com>> wrote: On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call. https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shak... Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls. https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-rob... A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election. I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction. While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).
~ $204 per spoofed call. On Thu, Dec 19, 2019, 10:09 AM Kain, Becki (.) <bkain1@ford.com> wrote:
Would be nice to have these stopped. I received 10 of them yesterday, pretending to be apple icloud support
*From:* NANOG <nanog-bounces@nanog.org> *On Behalf Of *Javier J *Sent:* Wednesday, December 18, 2019 8:38 PM *To:* Sean Donelan <sean@donelan.com> *Cc:* nanog <nanog@nanog.org> *Subject:* Re: FCC proposes $10 Million fine for spoofed robocalls
It is so bad that I am not above us bribing politicians in foreign countries to crack down on this.
On Thu, Dec 12, 2019 at 3:37 PM Sean Donelan <sean@donelan.com> wrote:
On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call.
https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shak...
Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls.
https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-rob...
A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election.
I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction.
While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).
How is it envisioned that this will work? I mean, I'm all for less spam calling... and ideally there would be some form of 'source address verification' on the PSTN/phone network... but in today's world that really just doesn't exist and the motivations to suppress fake sources are 'just as good' as they are on the intertubes. (with crappier options in the gear - SHAKEN/STIR are really not even available in the majority of the switch 'gear' right?) On Thu, Dec 19, 2019 at 10:08 AM Kain, Becki (.) <bkain1@ford.com> wrote:
Would be nice to have these stopped. I received 10 of them yesterday, pretending to be apple icloud support
From: NANOG <nanog-bounces@nanog.org> On Behalf Of Javier J Sent: Wednesday, December 18, 2019 8:38 PM To: Sean Donelan <sean@donelan.com> Cc: nanog <nanog@nanog.org> Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
It is so bad that I am not above us bribing politicians in foreign countries to crack down on this.
On Thu, Dec 12, 2019 at 3:37 PM Sean Donelan <sean@donelan.com> wrote:
On Monday, U.S. FCC Chairman Pai and Canadian CRTC Chairperson Scott made the first official cross-border SHAKEN/STIR call. https://www.fcc.gov/document/pai-scott-make-first-official-cross-border-shak...
Today, the U.S. FCC announced a proposed nearly $10 million fine for spoofed robocalls. https://www.fcc.gov/document/fcc-proposes-nearly-10-million-fine-spoofed-rob...
A U.S. telemarketing firm spoofed the caller-id of a competitor to make approximately 47,610 political robocalls shortly before a California State Assembly primary election.
I think this case is somewhat unusual for robocall spoofing, because the alleged perpetrator, victims, and 'crime scene' occured within the same jurisdiction.
While the FCC likes to announce large enforcement actions in splashy press releases, its actually bad about collecting fines. The FCC must rely on the Justice Department to initiate separate prosecution to enforce payment from non-license holders because the FCC can't do that itself. So don't expect anyone to actually pay soon (or ever).
On Thu, Dec 19, 2019 at 11:16:08AM -0500, Christopher Morrow wrote:
How is it envisioned that this will work?
My prediction for 2020: it still won't work, like in 2019 and the years before that. A call originated, transported and delivered equals revenue for all involved parties, so it is in their best interest not to block them, unless the fines are really magnitude(s) higher than the revenue.
I mean, I'm all for less spam calling... and ideally there would be some form of 'source address verification' on the PSTN/phone network... but in today's world that really just doesn't exist and the motivations to suppress fake sources are 'just as good' as they are on the intertubes. (with crappier options in the gear - SHAKEN/STIR are really not even available in the majority of the switch 'gear' right?)
When I tried to pay my AT&T uverse VOIP "landline" bill this morning they offered me a free "CallProtect App" but when I click on more info it's in fact only a link to open their "control call forwarding and blocking" part of the home phone features web site. All their suggested controls are enabled, still I am receiving only unwanted calls on this line. In the call and voicemail history list for my number I have at least these examples for you to laugh at. Hint: look at the numbers. and I have also been told that there is no equivalent of uRPF in the phone world. Name Number When Length Actions Suspected Spam 888-194-1242 11-30-19, 10:56 AM 0:00 Add to Address Book From Number When Size NAME NOT FOUND 408-145-1341 08-12-19, 09:14 AM 29 Kb NAME NOT FOUND 213-141-5163 05-17-19, 10:22 AM 353 Kb -andreas
On 12/19/19 12:09 PM, Andreas Ott wrote:
I have also been told that there is no equivalent of uRPF in the phone world.
This is the biggest issue, and unfortunately (and my knowledge of the PSTN is admittedly a bit lacking, here), there's likely no good way to add it. Calls on the PSTN are routed essentially based on "who do I feel like handing this off to, today", and then that entity may do the same, and so on. It's pretty routine for an outfit to have multiple contracts for termination that may not even be aware of the "legitimate" numbers from which their customers might "source" a call. Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them. Think of caller ID more like reverse DNS. It's largely advisory and, outside some situations where you deliberately want a higher degree of repuatation/identity verification and are willing to accept a potentially large number of false flags, there's no real reason to rely on it outside of human nicety. The rough analogy to the source IP address is the ANI information that's not even passed to most end users. That's "who should I bill this to?". But even that can get overwritten sometimes during call routing, from what I gather. It's also rarely a valid callback number for any non-trivial call source. Or, at least, if you did call it, the person who (might) answer the phone will have no idea what prompted you to do so. SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a way albeit very much re-envisioned based on circuit switching rather than packet switching. Each intervening network can attest to what degree they are able to verify the CID (and maybe ANI?) information in the call. Unfortunately, a perfectly valid attestation is "I cannot verify it", and indeed that's likely to be most of the attestations you'll see at least at first. The best it really lets you do is figure out some networks at which to point fingers. When "full attestation" is present, i.e. the network operator has been able to verify that the CID field represents a number authorized for use by the entity originating the call, it's maybe more like DKIM in that you can, with cryptographic certainty, know THE network at which to point fingers as they're the ones who admitted the call into the PSTN with authority that the CID field (among others) is "valid". [And all the old PSTN folks will please forgive me if I'm inaccurate, here, though corrections are welcome] -- Brandon Martin
"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for. Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Brandon Martin Sent: Thursday, 19 December, 2019 10:25 To: nanog@nanog.org Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
On 12/19/19 12:09 PM, Andreas Ott wrote:
I have also been told that there is no equivalent of uRPF in the phone world.
This is the biggest issue, and unfortunately (and my knowledge of the PSTN is admittedly a bit lacking, here), there's likely no good way to add it.
Calls on the PSTN are routed essentially based on "who do I feel like handing this off to, today", and then that entity may do the same, and so on. It's pretty routine for an outfit to have multiple contracts for termination that may not even be aware of the "legitimate" numbers from which their customers might "source" a call.
Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them.
Think of caller ID more like reverse DNS. It's largely advisory and, outside some situations where you deliberately want a higher degree of repuatation/identity verification and are willing to accept a potentially large number of false flags, there's no real reason to rely on it outside of human nicety.
The rough analogy to the source IP address is the ANI information that's not even passed to most end users. That's "who should I bill this to?". But even that can get overwritten sometimes during call routing, from what I gather. It's also rarely a valid callback number for any non-trivial call source. Or, at least, if you did call it, the person who (might) answer the phone will have no idea what prompted you to do so.
SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a way albeit very much re-envisioned based on circuit switching rather than packet switching. Each intervening network can attest to what degree they are able to verify the CID (and maybe ANI?) information in the call. Unfortunately, a perfectly valid attestation is "I cannot verify it", and indeed that's likely to be most of the attestations you'll see at least at first. The best it really lets you do is figure out some networks at which to point fingers.
When "full attestation" is present, i.e. the network operator has been able to verify that the CID field represents a number authorized for use by the entity originating the call, it's maybe more like DKIM in that you can, with cryptographic certainty, know THE network at which to point fingers as they're the ones who admitted the call into the PSTN with authority that the CID field (among others) is "valid".
[And all the old PSTN folks will please forgive me if I'm inaccurate, here, though corrections are welcome] -- Brandon Martin
On top of that, there's also the issue of many telcos deciding that, no, you can't just shove whatever you want on the wire, it needs to be a DID and name registered on your trunk... unless you pay us an extra fee per month and say you'll be good, then you can spoof to your heart's content. As far as actual enforcement of all this goes, this morning spam and robocall blocking legislation came into force in Canada. Coincidentally, this morning so far I've received six robocalls from the same "your social insurance number has been hacked and you are breaking the law by not paying us to fix it" scam, two of which were before the sun came up. Prior to today I usually got one a day on average. At least one of the big three carriers has said they're going to be rolling out network-side call blocking "in the coming weeks" but I'm expecting my cell to continue to be a source of annoyance for the foreseeable future. -- Troy Martin | tmartin@charter.ca
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Keith Medcalf Sent: December 19, 2019 9:43 AM To: Brandon Martin <lists.nanog@monmotha.net>; nanog@nanog.org Subject: RE: FCC proposes $10 Million fine for spoofed robocalls
"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.
Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
There are laws against many of these SPAM calls today. I suppose the agencies that are responsible for prosecuting these could answer some of their SPAM calls to see who was calling. Same thing with SPAM faxes, we didn't get a technical fix, just used the law against anyone who tried. Fax SPAM isn't fixed but its not being abused. Technical fixes might will no doubt be part of the problem. But enforcement will also address this. But yes I see everyone's lack of apathy for this problem as only accelerating the death of the PSTN. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Troy Martin Sent: Thursday, December 19, 2019 1:54 PM To: Keith Medcalf <kmedcalf@dessus.com>; nanog@nanog.org Subject: RE: FCC proposes $10 Million fine for spoofed robocalls WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. On top of that, there's also the issue of many telcos deciding that, no, you can't just shove whatever you want on the wire, it needs to be a DID and name registered on your trunk... unless you pay us an extra fee per month and say you'll be good, then you can spoof to your heart's content. As far as actual enforcement of all this goes, this morning spam and robocall blocking legislation came into force in Canada. Coincidentally, this morning so far I've received six robocalls from the same "your social insurance number has been hacked and you are breaking the law by not paying us to fix it" scam, two of which were before the sun came up. Prior to today I usually got one a day on average. At least one of the big three carriers has said they're going to be rolling out network-side call blocking "in the coming weeks" but I'm expecting my cell to continue to be a source of annoyance for the foreseeable future. -- Troy Martin | tmartin@charter.ca
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Keith Medcalf Sent: December 19, 2019 9:43 AM To: Brandon Martin <lists.nanog@monmotha.net>; nanog@nanog.org Subject: RE: FCC proposes $10 Million fine for spoofed robocalls
"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.
Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
If you want to end robocalls then every time you get one call your local congress person's or senator's main phone number and say "I just got another robocall (perhaps characterizing it like 'for auto warranties' or 'for IRS fraud')". Everyone. Every time. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Perhaps list the phone number of your representatives or your state attorney general's office in your domain contact info. On Thu, Dec 19, 2019 at 5:28 PM <bzs@theworld.com> wrote:
If you want to end robocalls then every time you get one call your local congress person's or senator's main phone number and say "I just got another robocall (perhaps characterizing it like 'for auto warranties' or 'for IRS fraud')".
Everyone. Every time.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
This, of course, will do no good. These so called "Robocalls" are exactly that. They generate a random number to call and play the silly canned message. If you press whatever the code is to talk to the idiots, they then hand off the call to a call center. You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India. This costs more money (it costs THEM more money). The longer you can keep the bastards talking on the phone, the MORE it costs them. It can also be quite entertaining and you can keep them on the line for HOURS with enough practice. If you do this EVERY SINGLE TIME then in rather short order your telephone number will be fed back to the company doing the "robocalling" as a "bad target" and you will get no more robocalls (since there are only two or three companies in the whole world who run the front end for a whole shitload of scammers). Conversely if you do not answer or hang up on the robo-message, you will be classified as an "excellent target" and you will get MORE calls. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Chad Dailey Sent: Thursday, 19 December, 2019 16:38 To: nanog@nanog.org Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
Perhaps list the phone number of your representatives or your state attorney general's office in your domain contact info.
On Thu, Dec 19, 2019 at 5:28 PM <bzs@theworld.com <mailto:bzs@theworld.com> > wrote:
If you want to end robocalls then every time you get one call your local congress person's or senator's main phone number and say "I just got another robocall (perhaps characterizing it like 'for auto warranties' or 'for IRS fraud')".
Everyone. Every time.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
So send them all to Lenny? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Keith Medcalf" <kmedcalf@dessus.com> To: "North American Network Operators' Group" <nanog@nanog.org> Sent: Thursday, December 19, 2019 6:09:32 PM Subject: RE: FCC proposes $10 Million fine for spoofed robocalls This, of course, will do no good. These so called "Robocalls" are exactly that. They generate a random number to call and play the silly canned message. If you press whatever the code is to talk to the idiots, they then hand off the call to a call center. You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India. This costs more money (it costs THEM more money). The longer you can keep the bastards talking on the phone, the MORE it costs them. It can also be quite entertaining and you can keep them on the line for HOURS with enough practice. If you do this EVERY SINGLE TIME then in rather short order your telephone number will be fed back to the company doing the "robocalling" as a "bad target" and you will get no more robocalls (since there are only two or three companies in the whole world who run the front end for a whole shitload of scammers). Conversely if you do not answer or hang up on the robo-message, you will be classified as an "excellent target" and you will get MORE calls. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Chad Dailey Sent: Thursday, 19 December, 2019 16:38 To: nanog@nanog.org Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
Perhaps list the phone number of your representatives or your state attorney general's office in your domain contact info.
On Thu, Dec 19, 2019 at 5:28 PM <bzs@theworld.com <mailto:bzs@theworld.com> > wrote:
If you want to end robocalls then every time you get one call your local congress person's or senator's main phone number and say "I just got another robocall (perhaps characterizing it like 'for auto warranties' or 'for IRS fraud')".
Everyone. Every time.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Thu, 19 Dec 2019, Keith Medcalf wrote:
You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India.
Generally the call center phone number is also "local" even if the warm body is in some other country as that usually occurs via SIP. /mark
On Friday, 20 December, 2019 10:57, Mark Milhollan wrote:
On Thu, 19 Dec 2019, Keith Medcalf wrote:
You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India.
Generally the call center phone number is also "local" even if the warm body is in some other country as that usually occurs via SIP.
Be that as it may, every minute you keep the call center person on the line is a minute they are not busily scamming someone else. Furthermore, while it is merely anecdotal, I can indeed report that since instituting a policy of ALWAYS answering robocalls and ALWAYS keeping them talking as long as possible, the number of such calls has decreased markedly, from several per day to now only one every couple of weeks / month. Because there *is* a cost associated with robo-scams, they must keep score in order to maximize return for the resources consumed (unlike e-mail spam scams which have effectively no need to prune the potential target list) you simply have to make the "cost" of dialing your telephone more expensive that the other couple billion potential targets. Its like being in a group being chased by a bear. You needn't run faster than the bear, merely faster than the slowest in the group. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Fri, 20 Dec 2019, Keith Medcalf wrote:
On Friday, 20 December, 2019 10:57, Mark Milhollan wrote:
On Thu, 19 Dec 2019, Keith Medcalf wrote:
You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India.
Generally the call center phone number is also "local" even if the warm body is in some other country as that usually occurs via SIP.
Be that as it may, every minute you keep the call center person on the line is a minute they are not busily scamming someone else. Furthermore, while it is merely anecdotal, I can indeed report that since instituting a policy of ALWAYS answering robocalls and ALWAYS keeping them talking as long as possible, the number of such calls has decreased markedly, from several per day to now only one every couple of weeks / month.
Because there *is* a cost associated with robo-scams, they must keep score in order to maximize return for the resources consumed (unlike e-mail spam scams which have effectively no need to prune the potential target list) you simply have to make the "cost" of dialing your telephone more expensive that the other couple billion potential targets. Its like being in a group being chased by a bear. You needn't run faster than the bear, merely faster than the slowest in the group.
This assumes my time is worth less than nothing, which is not the case, and that my time will make a material negative impact on these operations, which it will not. I do not believe that all people receiving these calls will spend the time to screw with them at a high enough rate to make it cost-ineffective for the scams to continue, unfortunately due to the high enough rate of success that keeps them in business. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Not only international call costs money (yes, it is extremely cheap SIP nowdays), but the time of call center operators costs money as well, And it is really not so cheap for the end customer (i.e. spammer), even in India. 20.12.19 19:56, Mark Milhollan пише:
On Thu, 19 Dec 2019, Keith Medcalf wrote:
You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India.
Generally the call center phone number is also "local" even if the warm body is in some other country as that usually occurs via SIP.
/mark
I do that every time ;) As the owner of telco, I even get small money for this call termination. Also, we implemented immediate answer and voice menu option, it says "Welcome, press ... to reach ...!" and circles. So me (as the telco operator) receive the money for call termination, and real customer do not get a spam call. Looks like captcha in the Internet! 20.12.19 02:09, Keith Medcalf пише:
This, of course, will do no good. These so called "Robocalls" are exactly that. They generate a random number to call and play the silly canned message. If you press whatever the code is to talk to the idiots, they then hand off the call to a call center.
You should ALWAYS talk to the call center behind the robocaller. The robocaller (the one playing the message) is relatively local and the cost of that call is minimal. When you select to talk to the robocaller, that generates an international handoff to a call center in India. This costs more money (it costs THEM more money). The longer you can keep the bastards talking on the phone, the MORE it costs them. It can also be quite entertaining and you can keep them on the line for HOURS with enough practice.
If you do this EVERY SINGLE TIME then in rather short order your telephone number will be fed back to the company doing the "robocalling" as a "bad target" and you will get no more robocalls (since there are only two or three companies in the whole world who run the front end for a whole shitload of scammers).
Conversely if you do not answer or hang up on the robo-message, you will be classified as an "excellent target" and you will get MORE calls.
On Sat, 2020-01-04 at 16:32 +0200, Max Tulyev wrote:
Also, we implemented immediate answer and voice menu option, it says "Welcome, press ... to reach ...!" and circles. So me (as the telco operator) receive the money for call termination, and real customer do not get a spam call. Looks like captcha in the Internet!
Ha! As discussed earlier in this thread, I have implemented the same thing. But I am just a single end-user, not a telco. It's so incredibly effective that I have wondered often if any telcos had actually implemented such a thing for their customers, even as an option, or even a paid service. I have also wondered though how ineffective it might become with wide deployment effectively upping the ante in the arms race. The captcha would have to get more difficult. "Enter the result of 1+3 to reach...". I wonder how many real people that would trip up though with "WTF?". Lots would probably try to press 1 and then 3, etc. Cheers, b.
Fact is the telcos make lots of money off spoofed robocalls so they have zero incentive to stop the practice. -Dan On Thu, 19 Dec 2019, Keith Medcalf wrote:
"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.
Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Brandon Martin Sent: Thursday, 19 December, 2019 10:25 To: nanog@nanog.org Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
On 12/19/19 12:09 PM, Andreas Ott wrote:
I have also been told that there is no equivalent of uRPF in the phone world.
This is the biggest issue, and unfortunately (and my knowledge of the PSTN is admittedly a bit lacking, here), there's likely no good way to add it.
Calls on the PSTN are routed essentially based on "who do I feel like handing this off to, today", and then that entity may do the same, and so on. It's pretty routine for an outfit to have multiple contracts for termination that may not even be aware of the "legitimate" numbers from which their customers might "source" a call.
Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them.
Think of caller ID more like reverse DNS. It's largely advisory and, outside some situations where you deliberately want a higher degree of repuatation/identity verification and are willing to accept a potentially large number of false flags, there's no real reason to rely on it outside of human nicety.
The rough analogy to the source IP address is the ANI information that's not even passed to most end users. That's "who should I bill this to?". But even that can get overwritten sometimes during call routing, from what I gather. It's also rarely a valid callback number for any non-trivial call source. Or, at least, if you did call it, the person who (might) answer the phone will have no idea what prompted you to do so.
SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a way albeit very much re-envisioned based on circuit switching rather than packet switching. Each intervening network can attest to what degree they are able to verify the CID (and maybe ANI?) information in the call. Unfortunately, a perfectly valid attestation is "I cannot verify it", and indeed that's likely to be most of the attestations you'll see at least at first. The best it really lets you do is figure out some networks at which to point fingers.
When "full attestation" is present, i.e. the network operator has been able to verify that the CID field represents a number authorized for use by the entity originating the call, it's maybe more like DKIM in that you can, with cryptographic certainty, know THE network at which to point fingers as they're the ones who admitted the call into the PSTN with authority that the CID field (among others) is "valid".
[And all the old PSTN folks will please forgive me if I'm inaccurate, here, though corrections are welcome] -- Brandon Martin
On Thursday, 19 December, 2019 12:54, Dan Hollis <goemon@sasami.anime.net> wrote:
Fact is the telcos make lots of money off spoofed robocalls so they have zero incentive to stop the practice.
On Thu, 19 Dec 2019, Keith Medcalf wrote:
"CallerID" is a misnomer. It is actually the "Advertized ID".
However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for.
Pretty canny business model eh? And apparently y'all fell for it,
thinking it was related to the Identification of the Caller, rather
That is an easy one to solve. The telco simply needs to provide a free "Call Screening" service that you can activate on your line such that the telco terminates all calls with a message "Please enter <random three digit number> to ring the subscriber line". No valid code, disconnect the call. They still get to charge a termination fee to whomever handed the call to them. Additional features (whitelisting/blacklisting) available for extra charge. than
being what the caller wished to advertize.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Thu, Dec 19, 2019 at 9:25 AM Brandon Martin <lists.nanog@monmotha.net> wrote:
Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them.
Hi Brandon, Correct. Consider this scenario: You have a Vonage phone. You use the "simultaneous ring" feature to have calls to your Vonage phone also ring your Verizon cell phone. I call your Vonage phone from my Verizon cell phone. Vonage initiates a call to your Verizon phone purporting to be from my phone number. Because, of course, it is. But Verizon receiving the call from Vonage has no view of the original call in I made in to Vonage. To present you with the caller ID information you want, they have to take Vonage's word for it that the call really is from a number Verizon itself owns. Think of a phone call like a long chain of proxy servers and you're being asked to accept the source claim made by the first proxy server in the chain. Anyway, the FCC's track record collecting fines for spam calls is even worse than its record for imposing the fines in the first place. This isn't a legislative problem, it's a technical one. If I had the "in" with a call center company, I'd build a solution this way: I call your phone number. Your phone company compares my number against your whitelist. Ring through on match. If no match, "You have reached Name. Press 2 to leave a message. Press 3 to enter your code. Press 0 or stay on the line for an operator." Ring through on a valid code. If 0, the call connects to a call center where a live operator evaluates the call. Who am I? Why am I calling? Do I meet the plain-English criteria you've established for calls to allow through? If no, the operator offers to connect me to your voicemail. If yes, the operator dials you, explains who's calling and asks your permission to connect the call. You can spoof the automation but your hit rate spoofing the live operator is not going to be good enough to keep trying. And if you do keep trying, the operator company has lawyers and a financial incentive to go after you. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Thu, 2019-12-19 at 11:02 -0800, William Herrin wrote:
I call your phone number. Your phone company compares my number against your whitelist. Ring through on match. If no match, "You have reached Name. Press 2 to leave a message. Press 3 to enter your code. Press 0 or stay on the line for an operator." Ring through on a valid code. If 0, the call connects to a call center where a live operator evaluates the call. Who am I? Why am I calling? Do I meet the plain-English criteria you've established for calls to allow through? If no, the operator offers to connect me to your voicemail. If yes, the operator dials you, explains who's calling and asks your permission to connect the call.
It really doesn't (currently at least -- until robocallers start using voice recognition to defeat my system) need to be this complicated or over-engineered. A simple audio captcha works wonders. Hello. If you are a telemarketer, press 1. If you want to speak to somebody at this number, press 5. Anyone pressing 1 gets their caller-id added to my blacklist and is asked to add our number to their do not call list. In reality all telemarketers use robocallers so they don't even get that far. Anyone pressing 5 rings through (with additional processing described below). But that's it. That has blocked 100% of robocalling from actually ringing the phones in our house for the last few years. I couple the captch greeting system with a whiltelist (i.e. only callers not on the whitelist get the above prompt -- callers on the whitelist ring through directly with no greeting). One gets on the whitelist because (a) I add them explicitly, (b) their number was called from our house phones (i.e. the PBX automatically adds all outgoing numbers to the whitelist) (c) they pressed 5 at the prompt. The result of that last one (c) is that people only ever hear that prompt once and if they press 5, they never hear it again. Unless of course I remove them from the whitelist. That has never had to be done to the best of my recollection. Of course I cannot know how many legitimate (robo)calls have not made it through the gauntlet, but I also have not had anyone complain about not being able to reach me. I figure if it's really important, some human from wherever the failed legitimate robocall is coming from will eventually get in touch with me. I do also get notified when a (i.e. a robo)caller doesn't choose either 1 or 5 and have noticed the very odd robocall that I would have liked to have received (very few and far between -- maybe 1 or 2 a year), and add them to the whitelist which works well since failed robocalls typically get retried so I get it the next time around. One might argue that having to deal with the notification on each failed robocall washes out the value of the system, but I would argue that reading a text message about a failed robocall, when I feel like reading it, is a more than fair trade-off for not having to interrupt what I am doing to answer the phone and get frustrated at another phishing/scam/etc. attempt, and it gives me peace of mind that I will catch (the very very few) failed robocalls that I did want. b.
On Thu, Dec 19, 2019 at 11:27 AM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
On Thu, 2019-12-19 at 11:02 -0800, William Herrin wrote:
I call your phone number. Your phone company compares my number against your whitelist. Ring through on match. If no match, "You have reached Name. Press 2 to leave a message. Press 3 to enter your code. Press 0 or stay on the line for an operator." Ring through on a valid code. If 0, the call connects to a call center where a live operator evaluates the call. Who am I? Why am I calling? Do I meet the plain-English criteria you've established for calls to allow through? If no, the operator offers to connect me to your voicemail. If yes, the operator dials you, explains who's calling and asks your permission to connect the call.
It really doesn't (currently at least -- until robocallers start using voice recognition to defeat my system) need to be this complicated or over-engineered. A simple audio captcha works wonders.
Hello. If you are a telemarketer, press 1. If you want to speak to somebody at this number, press 5.
Anyone pressing 1 gets their caller-id added to my blacklist and is asked to add our number to their do not call list. In reality all telemarketers use robocallers so they don't even get that far.
Hi Brian, I don't want to start an arms race with the spam callers, I want to end it. That means: jump directly to something they can't easily defeat. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On 12/19/19 11:34 AM, William Herrin wrote:
On Thu, Dec 19, 2019 at 11:27 AM Brian J. Murrell <brian@interlinx.bc.ca> wrote:
On Thu, 2019-12-19 at 11:02 -0800, William Herrin wrote:
I call your phone number. Your phone company compares my number against your whitelist. Ring through on match. If no match, "You have reached Name. Press 2 to leave a message. Press 3 to enter your code. Press 0 or stay on the line for an operator." Ring through on a valid code. If 0, the call connects to a call center where a live operator evaluates the call. Who am I? Why am I calling? Do I meet the plain-English criteria you've established for calls to allow through? If no, the operator offers to connect me to your voicemail. If yes, the operator dials you, explains who's calling and asks your permission to connect the call. It really doesn't (currently at least -- until robocallers start using voice recognition to defeat my system) need to be this complicated or over-engineered. A simple audio captcha works wonders.
Hello. If you are a telemarketer, press 1. If you want to speak to somebody at this number, press 5.
Anyone pressing 1 gets their caller-id added to my blacklist and is asked to add our number to their do not call list. In reality all telemarketers use robocallers so they don't even get that far. Hi Brian,
I don't want to start an arms race with the spam callers, I want to end it. That means: jump directly to something they can't easily defeat.
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email. Mike
On Thursday, 19 December, 2019 13:57, Michael Thomas wrote:
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email.
I really do not care. It is my e-mail server. It is my telephone. I am paying for them. If you wish to communicate with me you *will* comply with my rules. Otherwise you can go stuff yourself. I really do not care one way or the other -- except of course that if you go stuff yourself then I do not have to be bothered with you. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On 12/19/19 2:56 PM, Keith Medcalf wrote:
On Thursday, 19 December, 2019 13:57, Michael Thomas wrote:
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email. I really do not care. It is my e-mail server. It is my telephone. I am paying for them. If you wish to communicate with me you *will* comply with my rules. Otherwise you can go stuff yourself. I really do not care one way or the other -- except of course that if you go stuff yourself then I do not have to be bothered with you.
I have no issue whatsoever with you shooting yourself in the foot. Heck shoot both of them, bullets are cheap. Mike
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email.
I sort of figured that the shaken/stir model that ( i happened to propose in their first meeting) of: "get the originator (handset, ebony phone, call-warehouse) to digitally sign the call initiation, propagate that through the network to the receiver (so they could associate the md5/sha256/cert-signature/etc with an identity, and let the receivers decide: 'Not in my known callers list, no answer'" was a great plan... that the folk in the room basically didn't understand (or even want me to voice, actually)... It's a shame that something like this wasn't created instead of shaken/stir. You could check the signature at any of the hops, start failing calls earlier as rates of completion didn't stay at some standard level. All sorts of options would be available, and really the callers could be identified (at least by endpoint) more quickly. oh well. glad we got shaken / stir though? :)
On 12/19/19 9:14 PM, Christopher Morrow wrote:
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email. I sort of figured that the shaken/stir model that ( i happened to propose in their first meeting) of: "get the originator (handset, ebony phone, call-warehouse) to digitally sign the call initiation, propagate that through the network to the receiver (so they could associate the md5/sha256/cert-signature/etc with an identity, and let the receivers decide: 'Not in my known callers list, no answer'"
was a great plan... that the folk in the room basically didn't understand (or even want me to voice, actually)... It's a shame that something like this wasn't created instead of shaken/stir. You could check the signature at any of the hops, start failing calls earlier as rates of completion didn't stay at some standard level. All sorts of options would be available, and really the callers could be identified (at least by endpoint) more quickly.
oh well. glad we got shaken / stir though? :)
SHAKEN is trying to solve e.164 problem which inherently hard and subject to a lot of cases where it fails. Their problem statement is worth the read if you're interested. But the reality is that it's a pretty SIP-y world these days, and the proper identity for SIP is the From: address, not the e.164 address. Since From: addresses contain domain names, you can tie identity to the domain itself, instead of trying to make sense of telephone number delegations. It would be trivial to attach a signature to the SIP INVITE's -- we've been doing that for 15 years with email, and then you at least know that the INVITE came from the domain it purports to be from. It works even for PSTN last legs because the PSTN headend can place the From: address in the caller id. Armed with that knowledge, you can filter to your heart's content. And since we've been told that 5G is a magic elixir that will wash our clothes and dress our dogs, our new phones can just be SIP UA's instead of going through the PSTN nonsense at all. STIR/SHAKEN seems like a solution to a problem whose time is way overdue to be retired. Mike
On Fri, Dec 20, 2019 at 1:40 PM Michael Thomas <mike@mtcc.com> wrote:
On 12/19/19 9:14 PM, Christopher Morrow wrote:
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email. I sort of figured that the shaken/stir model that ( i happened to propose in their first meeting) of: "get the originator (handset, ebony phone, call-warehouse) to digitally sign the call initiation, propagate that through the network to the receiver (so they could associate the md5/sha256/cert-signature/etc with an identity, and let the receivers decide: 'Not in my known callers list, no answer'"
was a great plan... that the folk in the room basically didn't understand (or even want me to voice, actually)... It's a shame that something like this wasn't created instead of shaken/stir. You could check the signature at any of the hops, start failing calls earlier as rates of completion didn't stay at some standard level. All sorts of options would be available, and really the callers could be identified (at least by endpoint) more quickly.
oh well. glad we got shaken / stir though? :)
SHAKEN is trying to solve e.164 problem which inherently hard and subject to a lot of cases where it fails. Their problem statement is worth the read if you're interested.
I'll have to go read, I didn't pay attention much to stir/etc after the first meeting when it was made very clear that they really didn't want opionions from outside their group (at that time) or thoughts/ideas that came from outside the bell-shaped-head space. is fine, I had many other problems to solve.
But the reality is that it's a pretty SIP-y world these days, and the proper identity for SIP is the From: address, not the e.164 address. Since From: addresses contain domain names, you can tie identity to the domain itself, instead of trying to make sense of telephone number delegations. It would be trivial to attach a signature to the SIP INVITE's -- we've been doing that for 15 years with email, and then you at least know that the INVITE came from the domain it purports to be from. It works even for PSTN last legs because the PSTN headend can place the From: address in the caller id. Armed with that knowledge, you can filter to your heart's content.
this is sort of what I was imagining, except that the caller's handset (or copper receiver at the end of my ebony phone (in the CO)) could stamp my call with the correct signature for 'me'. Ideally 'number' or 'person face' or 'video dancing hamster' makes no difference here. Oh my handset I see a picture of your smiling face (or randys or even seans...) and I (if I agree that's whom I'm talking to) I click the 'verified' button and now only that sent 'certificate' can pretend to be the person I'm talking to. Setup some call screening system at the telco, people that last can get 'verified' by the reciever.. bob's yer auntie and robo callers go away.
And since we've been told that 5G is a magic elixir that will wash our clothes and dress our dogs, our new phones can just be SIP UA's instead of going through the PSTN nonsense at all.
the think is.. SIP doesnt' matter here.. not really. or I don't care about the carriage, as long as I can say: 'the think I'm talking at on the 'far end' is whom they say they are... verified... no one else can pretend to be that thing/person/etc"
STIR/SHAKEN seems like a solution to a problem whose time is way overdue to be retired.
maybe.
On 12/20/19 11:46 AM, Christopher Morrow wrote:
On Fri, Dec 20, 2019 at 1:40 PM Michael Thomas <mike@mtcc.com> wrote:
SHAKEN is trying to solve e.164 problem which inherently hard and subject to a lot of cases where it fails. Their problem statement is worth the read if you're interested.
I'll have to go read, I didn't pay attention much to stir/etc after the first meeting when it was made very clear that they really didn't want opionions from outside their group (at that time) or thoughts/ideas that came from outside the bell-shaped-head space. is fine, I had many other problems to solve.
I know most of the people who worked on this, and it definitely seems like it got wrapped around a bell shaped axle. But P-ASSERTED-IDENTITY was always about telco stuff, not internet stuff, so it's unsurprising that trying to get a workable version of P-ASSERTED-IDENTITY wouldn't be receptive to solutions for other problems.
And since we've been told that 5G is a magic elixir that will wash our clothes and dress our dogs, our new phones can just be SIP UA's instead of going through the PSTN nonsense at all.
the think is.. SIP doesnt' matter here.. not really. or I don't care about the carriage, as long as I can say: 'the think I'm talking at on the 'far end' is whom they say they are... verified... no one else can pretend to be that thing/person/etc"
To know *exactly* who's at the other end of the line is an extremely hard problem. But if are willing to relax that a bit and say that I can know for certain the *domain* that sent it, we definitely know how to do that, and happens billions of times an hour. For example, I can be pretty sure that morrowc.lists@gmail.com is probably the whoever owns that account since google is very strict about smtp auth, and i know that gmail.com sent the message. And obviously with a domain identifier, you can be held accountable by blacklist services, etc. But my main point is that with 5G there's really no reason to keep the legacy PSTN stuff there. Why do I want to be beholden to legacy telco stuff when everything can do voip these days? E.164 needs to sail into the west. Mike
There's a lot fewer cell companies than email providers. This may work to the advantage of consumers. Sent from my iCar
On Dec 19, 2019, at 3:57 PM, Michael Thomas <mike@mtcc.com> wrote:
Plus if it didn't work well/too cumbersome/etc with email, it probably won't be any better with voice. We have lots of experience with what doesn't work for email.
[ Re-sent with proper headers. My apologies for the typo'd previous version. ] On Thu, Dec 19, 2019 at 11:34:48AM -0800, William Herrin wrote:
I don't want to start an arms race with the spam callers, I want to end it. That means: jump directly to something they can't easily defeat.
It is at this point that I am reminded of the wisdom of former FTC Commissioner Orson Swindle, who was testifying before Congress on the subject of spam when he said "We need a couple of good hangings here." It was true in 2003 (which is I believe when he said it) and it's still true now. Fines, whatever they are, will be evaded and bargained down, companies will be dissolved and reconstituted, money will be laundered, and the problem will persist. ---rsk
Both TRACED and TRUE were passed by both houses today and are expected to be signed by the current POTUS because of the bipartisan support..... The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act (S. 151) <https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/S151RFH_SUS_xml.pdf> The Truth-In-Billing, Remedies, and User Empowerment over (TRUE) Fees Act (S. 510 / H.R. 1220) <https://www.markey.senate.gov/imo/media/doc/True%20Fees.pdf> -- Fletcher Kittredge GWI 207-602-1134 www.gwi.net
On Thu, Dec 19, 2019 at 6:10 PM Fletcher Kittredge <fkittred@gwi.net> wrote:
Both TRACED and TRUE were passed by both houses today and are expected to be signed by the current POTUS because of the bipartisan support.....
The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act (S. 151)
The Truth-In-Billing, Remedies, and User Empowerment over (TRUE) Fees Act (S. 510 / H.R. 1220)
well then! our work here is done folks! pack it in, get on home. phew! (at least congress can mark something 'done' off their list... no matter that it won't fix anything)
On Thu, Dec 19, 2019 at 1:46 PM Rich Kulawiec <rsk@gsp.org> wrote:
[ Re-sent with proper headers. My apologies for the typo'd previous version. ]
On Thu, Dec 19, 2019 at 11:34:48AM -0800, William Herrin wrote:
I don't want to start an arms race with the spam callers, I want to end it. That means: jump directly to something they can't easily defeat.
It is at this point that I am reminded of the wisdom of former FTC Commissioner Orson Swindle, who was testifying before Congress on the subject of spam when he said "We need a couple of good hangings here." It was true in 2003 (which is I believe when he said it) and it's still true now. Fines, whatever they are, will be evaded and bargained down, companies will be dissolved and reconstituted, money will be laundered, and the problem will persist.
---rsk
I've occasionally thought that a tactical air strike on a couple of call centers might just convince the others of the errors of their ways. -- Jeff Shultz -- Like us on Social Media for News, Promotions, and other information!! <https://www.facebook.com/SCTCWEB/> <https://www.instagram.com/sctc_503/> <https://www.yelp.com/biz/sctc-stayton-3> <https://www.youtube.com/c/sctcvideos> _**** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****_
On Thu, 19 Dec 2019 13:59:00 -0800, Jeff Shultz said:
I've occasionally thought that a tactical air strike on a couple of call centers might just convince the others of the errors of their ways.
Having a US-owned A10 strafe a Philippines-based call center is probably a bad idea diplomatically. However, we're in an administration that doesn't avoid ideas simply because they're objectively bad, so I'm not going to predict it won't happen....
As long as that tactical air strike uses MIRV nuclear warheads so none of the little f*ckers get away ... -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces+kmedcalf=dessus.com@nanog.org> On Behalf Of Jeff Shultz Sent: Thursday, 19 December, 2019 14:59 To: North American Network Operators' Group <nanog@nanog.org> Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
On Thu, Dec 19, 2019 at 1:46 PM Rich Kulawiec <rsk@gsp.org> wrote:
[ Re-sent with proper headers. My apologies for the typo'd previous
version. ]
On Thu, Dec 19, 2019 at 11:34:48AM -0800, William Herrin wrote:
I don't want to start an arms race with the spam callers, I want to end it. That means: jump directly to something they can't easily defeat.
It is at this point that I am reminded of the wisdom of former FTC Commissioner Orson Swindle, who was testifying before Congress on the subject of spam when he said "We need a couple of good hangings
here."
It was true in 2003 (which is I believe when he said it) and it's still true now. Fines, whatever they are, will be evaded and bargained down, companies will be dissolved and reconstituted, money will be laundered, and the problem will persist.
---rsk
I've occasionally thought that a tactical air strike on a couple of call centers might just convince the others of the errors of their ways.
-- Jeff Shultz
-- Like us on Social Media for News, Promotions, and other information!!
<https://www.facebook.com/SCTCWEB/> <https://www.instagram.com/sctc_503/> <https://www.yelp.com/biz/sctc-stayton-3> <https://www.youtube.com/c/sctcvideos>
_**** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****_
On 12/19/19 11:27 AM, Brian J. Murrell wrote:
On Thu, 2019-12-19 at 11:02 -0800, William Herrin wrote:
I call your phone number. Your phone company compares my number against your whitelist. Ring through on match. If no match, "You have reached Name. Press 2 to leave a message. Press 3 to enter your code. Press 0 or stay on the line for an operator." Ring through on a valid code. If 0, the call connects to a call center where a live operator evaluates the call. Who am I? Why am I calling? Do I meet the plain-English criteria you've established for calls to allow through? If no, the operator offers to connect me to your voicemail. If yes, the operator dials you, explains who's calling and asks your permission to connect the call. It really doesn't (currently at least -- until robocallers start using voice recognition to defeat my system) need to be this complicated or over-engineered. A simple audio captcha works wonders.
Hello. If you are a telemarketer, press 1. If you want to speak to somebody at this number, press 5.
Anyone pressing 1 gets their caller-id added to my blacklist and is asked to add our number to their do not call list. In reality all telemarketers use robocallers so they don't even get that far.
Anyone pressing 5 rings through (with additional processing described below).
There are robocalls that you want to get. Here in california, our wonderful electric company sends out robocalls when they are going to cut our electricity so they don't get blamed for burning down cities (and then still manage to anyway). I'm not sure if our earthquake alerts can robocall or not, but that would certainly be another one that you'd want to get. There are plenty more examples. Mike
On Thursday, 19 December, 2019 14:02, Michael Homas wrote:
There are robocalls that you want to get. Here in california, our wonderful electric company sends out robocalls when they are going to cut our electricity so they don't get blamed for burning down cities (and then still manage to anyway). I'm not sure if our earthquake alerts can robocall or not, but that would certainly be another one that you'd want to get. There are plenty more examples.
That stupid people do stupid things has no bearing on me. If there is a legal requirement for these people to be "notifying" then they are required to notify. That they chose an assinine and ineffective method of notification does not relieve them of their legal obligations. I do not want to receive robocalls period. End of Line. No Exception. Ever. For any reason. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Thu, 19 Dec 2019 16:02:42 -0700, "Keith Medcalf" said:
That stupid people do stupid things has no bearing on me. If there is a legal requirement for these people to be "notifying" then they are required to notify.
I do not want to receive robocalls period. End of Line. No Exception. Ever. For any reason.
So... what do you recommend if it's a legally mandated robocall that says "shelter in place - active shooter" or "tornado alert"?
On Thursday, 19 December, 2019 19:07, Valdis Kletnieks <valdis@vt.edu> wrote:
On Thu, 19 Dec 2019 16:02:42 -0700, "Keith Medcalf" said:
That stupid people do stupid things has no bearing on me. If there is a legal requirement for these people to be "notifying" then they are required to notify.
I do not want to receive robocalls period. End of Line. No Exception. Ever. For any reason.
So... what do you recommend if it's a legally mandated robocall that says "shelter in place - active shooter" or "tornado alert"?
Then they can pay for the phone line to be used for that purpose. I will rent them the space necessary to house the phone and its accoutrements, but I will not guantee that I will ever answer it. That will cost my usual rate of $750.00 per hour, with a four hour minimum, paid in advance. If whomever did the "legally mandating" failed to account for the cost of their "mandating" that is not my problem. If I am paying for the phone line then I get to choose what calls I will accept. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On 12/19/19 6:52 PM, Keith Medcalf wrote:
On Thursday, 19 December, 2019 19:07, Valdis Kletnieks <valdis@vt.edu> wrote:
That stupid people do stupid things has no bearing on me. If there is a legal requirement for these people to be "notifying" then they are required to notify. I do not want to receive robocalls period. End of Line. No Exception. Ever. For any reason. So... what do you recommend if it's a legally mandated robocall that says "shelter in place - active shooter" or "tornado alert"? Then they can pay for the phone line to be used for that purpose. I will rent them the space necessary to house the phone and its accoutrements, but I will not guantee that I will ever answer it. That will cost my usual rate of $750.00 per hour, with a four hour minimum,
On Thu, 19 Dec 2019 16:02:42 -0700, "Keith Medcalf" said: paid in advance. If whomever did the "legally mandating" failed to account for the cost of their "mandating" that is not my problem.
If I am paying for the phone line then I get to choose what calls I will accept.
Surrender Dorthy. Pathetic.
Is it legally a spoofed robo-call if I robo-call someone who has consented to be robo-called, with the caller-ID of a number that is affiliated with me but not with the telco I'm calling from? On 19-12-19 09 h 09, Andreas Ott wrote:
How is it envisioned that this will work? My prediction for 2020: it still won't work, like in 2019 and the years before that. A call originated, transported and delivered equals revenue for all involved parties, so it is in their best interest not to block
On Thu, Dec 19, 2019 at 11:16:08AM -0500, Christopher Morrow wrote: them, unless the fines are really magnitude(s) higher than the revenue.
I mean, I'm all for less spam calling... and ideally there would be some form of 'source address verification' on the PSTN/phone network... but in today's world that really just doesn't exist and the motivations to suppress fake sources are 'just as good' as they are on the intertubes. (with crappier options in the gear - SHAKEN/STIR are really not even available in the majority of the switch 'gear' right?) When I tried to pay my AT&T uverse VOIP "landline" bill this morning they offered me a free "CallProtect App" but when I click on more info it's in fact only a link to open their "control call forwarding and blocking" part of the home phone features web site. All their suggested controls are enabled, still I am receiving only unwanted calls on this line.
In the call and voicemail history list for my number I have at least these examples for you to laugh at. Hint: look at the numbers. and I have also been told that there is no equivalent of uRPF in the phone world.
Name Number When Length Actions Suspected Spam 888-194-1242 11-30-19, 10:56 AM 0:00 Add to Address Book
From Number When Size NAME NOT FOUND 408-145-1341 08-12-19, 09:14 AM 29 Kb NAME NOT FOUND 213-141-5163 05-17-19, 10:22 AM 353 Kb
-andreas
On Fri, 20 Dec 2019 00:14:33 -0800, Large Hadron Collider said:
Is it legally a spoofed robo-call if I robo-call someone who has consented to be robo-called, with the caller-ID of a number that is affiliated with me but not with the telco I'm calling from?
Every 8 weeks, the vampires at the American Red Cross call me to schedule another blood donation, and I'm sure that the number on my caller-ID isn't the actual phone number attached to the specific seat at the call center. And I'm pretty sure that until I answer the call, there's no really good way to distinguish between a robo-call with a recorded message and a robo-dialed call with an actual carbon-based lifeform at the call center on the call... (If I'm wrong on that one, feel free to enlighten me.. :)
On 12/19/19 8:16 AM, Christopher Morrow wrote:
How is it envisioned that this will work? I mean, I'm all for less spam calling... and ideally there would be some form of 'source address verification' on the PSTN/phone network... but in today's world that really just doesn't exist and the motivations to suppress fake sources are 'just as good' as they are on the intertubes. (with crappier options in the gear - SHAKEN/STIR are really not even available in the majority of the switch 'gear' right?)
It's my opinion that STIR/SHAKEN is trying to solve the wrong problem. Telephone numbers are oh-so last millennia. I don't care about telephone numbers any more than I care about ip addresses. What I care about is the From: address, be it email, sip or anything else that uses an email-like address. Unlike the e.164 quagmire, domains can vouch that they actually sent a message ala DKIM (in fact, when i was developing DKIM, i for shits and giggles, DKIM-signed SIP messages too). If a message comes from gmail (and verifies), I have a pretty good belief that it really is that user since I know they don't allow their users to spoof other email accounts. Same can be done with SIP. That is the road forward here, not an ugly complex bandaid on an outdated form of identity. Mike
They should be fining the telcos, they're making a lot of money on these calls. And if you believe otherwise (e.g., that it's like email spam) you've been duped by telco PR. Unlike spam when was the last time a telco failed to bill you for a billable phone call? Never. They know exactly who is using their system. And they get paid for it. And these junk callers are making millions of calls per hour when they're active. The entire telco infrastructure has been described as a billing system with some added voice features. Try devising a box which makes millions of voice calls per hour and see how long it takes before you're stopped dead until you agree to pay the telcos for those calls, or get arrested. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Thu, Dec 19, 2019 at 3:15 PM <bzs@theworld.com> wrote:
They should be fining the telcos, they're making a lot of money on these calls.
And if you believe otherwise (e.g., that it's like email spam) you've been duped by telco PR.
Unlike spam when was the last time a telco failed to bill you for a billable phone call? Never.
They know exactly who is using their system. And they get paid for it. And these junk callers are making millions of calls per hour when they're active.
The entire telco infrastructure has been described as a billing system with some added voice features.
Try devising a box which makes millions of voice calls per hour and see how long it takes before you're stopped dead until you agree to pay the telcos for those calls, or get arrested.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
The sending telco may, but the receiving Teclco? Not necessarily - and it's annoying to us too. A lot of this should seemingly be fixable at the tandem. -- Jeff Shultz -- Like us on Social Media for News, Promotions, and other information!! <https://www.facebook.com/SCTCWEB/> <https://www.instagram.com/sctc_503/> <https://www.yelp.com/biz/sctc-stayton-3> <https://www.youtube.com/c/sctcvideos> _**** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****_
On 12/19/19 6:11 PM, bzs@theworld.com wrote:
They should be fining the telcos, they're making a lot of money on these calls.
And if you believe otherwise (e.g., that it's like email spam) you've been duped by telco PR.
Unlike spam when was the last time a telco failed to bill you for a billable phone call? Never.
They know exactly who is using their system. And they get paid for it. And these junk callers are making millions of calls per hour when they're active.
I work for a phone company in a senior role, and have for years. I've also been saying this for years. These are all half solutions. The people handling these calls know exactly who their customers are, and they'd remove them in hours if a legal mandate came down to provide passthrough penalties for providing service to these people. Legitimate callcenters don't send out tons of traffic with random source numbers that typically match the same first 6 digits as their caller. It'd take the large and small companies alike maybe a day to run database queries to identify and shut down the callers doing this. But there's money to be made in prolonging the issue - they get to charge the caller for making the calls, and the customers to block them. (for what it's worth, the problem ones aren't on my network. I checked.) -Paul
On Thu, 19 Dec 2019, Paul Timmins wrote:
The people handling these calls know exactly who their customers are,
yep
and they'd remove them in hours if a legal mandate came down to provide passthrough penalties for providing service to these people.
the only penalties that would motivate them is prison terms. financial penalties will be ignored. -Dan
I can't imagine many telcos are making a lot of money from voice anymore. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: bzs@theworld.com To: "nanog" <nanog@nanog.org> Sent: Thursday, December 19, 2019 5:11:17 PM Subject: RE: FCC proposes $10 Million fine for spoofed robocalls They should be fining the telcos, they're making a lot of money on these calls. And if you believe otherwise (e.g., that it's like email spam) you've been duped by telco PR. Unlike spam when was the last time a telco failed to bill you for a billable phone call? Never. They know exactly who is using their system. And they get paid for it. And these junk callers are making millions of calls per hour when they're active. The entire telco infrastructure has been described as a billing system with some added voice features. Try devising a box which makes millions of voice calls per hour and see how long it takes before you're stopped dead until you agree to pay the telcos for those calls, or get arrested. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 12/20/19 9:00 AM, Mike Hammett wrote:
I can't imagine many telcos are making a lot of money from voice anymore.
We are. Not as much as the olden days, but we are. And a lot of companies charge surcharges to customers who have tons of short duration calls. Do the math on why, and who they're targeting for a little extra income.
On December 20, 2019 at 08:00 nanog@ics-il.net (Mike Hammett) wrote:
I can't imagine many telcos are making a lot of money from voice anymore.
They may not be making a huge amount anymore which may be why they're now allowing (i.e., not fighting/lobbying) these folks to be thrown under the bus before someone shines a light on them.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ From: bzs@theworld.com To: "nanog" <nanog@nanog.org> Sent: Thursday, December 19, 2019 5:11:17 PM Subject: RE: FCC proposes $10 Million fine for spoofed robocalls
They should be fining the telcos, they're making a lot of money on these calls.
And if you believe otherwise (e.g., that it's like email spam) you've been duped by telco PR.
Unlike spam when was the last time a telco failed to bill you for a billable phone call? Never.
They know exactly who is using their system. And they get paid for it. And these junk callers are making millions of calls per hour when they're active.
The entire telco infrastructure has been described as a billing system with some added voice features.
Try devising a box which makes millions of voice calls per hour and see how long it takes before you're stopped dead until you agree to pay the telcos for those calls, or get arrested.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (27)
-
Andreas Ott
-
Brandon Martin
-
Brian J. Murrell
-
bzs@theworld.com
-
Chad Dailey
-
Christopher Morrow
-
Dan Hollis
-
Fletcher Kittredge
-
j k
-
Jared Mauch
-
Javier J
-
Jeff Shultz
-
Kain, Becki (.)
-
Keith Medcalf
-
Kevin Burke
-
Large Hadron Collider
-
Mark Milhollan
-
Max Tulyev
-
Michael Thomas
-
Mike Hammett
-
Paul Timmins
-
Peter Beckman
-
Rich Kulawiec
-
Sean Donelan
-
Troy Martin
-
Valdis Klētnieks
-
William Herrin