Hello, And Please Don’t Hang Up: The Scourge of Robocalls

Over the last few months, I’ve noticed extra calls coming in from local numbers, and if you live in the US, I suspect maybe you have too. These calls are either just dead air, or recordings that start with “Please don’t hang up.” Out of curiosity, I’ve called back on the number the call claims to be from. Each time, the message is that this number has been disconnected and is no longer in service. This sounds like the plot of a budget horror movie, how am I being called from a disconnected number? Rather than a phantom in the wires, this is robocalling, combined with caller ID spoofing.

Automated phone switching is an impressive beast. The story often told is that Kansas City had two undertakers in the late 1800s. The town’s telephone operator was married to one of the undertakers, and she would routinely send business to her husband. The other undertaker was [Almon Brown Strowger], and once he caught on to what was going on, he started working on a way to route phone calls without going through an operator. His invention eventually became the rotary dial phone and switching system. There is some irony that the automatically switched telephone network was invented to defeat fraud, and today it’s also used to commit fraud.

Number Spoofing is a Side Effect of the Ma Bell Breakup

At Hope XII, [TProphet] gave a talk about robocalling and the history of the phone system. He talked about the breakup of AT&T and the associated government regulation, and how those two events have had unintended consequences today, like enabling caller ID spoofing and robocalling. Part of the agreement between the U.S. Government and AT&T is that all calls would be accepted, even calls from competing providers. The downside is that this regulation then legally prevented AT&T from blocking phone calls even when those calls are known to be spoofed or spam.

Signalling System 7 (SS7) was designed in the 1970s, and has become the international standard for routing phone calls. This standard was written in a time when network security was an afterthought: SS7 has no authentication built in, simply accepting all traffic on the “secure” phone network. Regulated network interconnection was baked into the SS7 protocol, and a side effect is that the source phone number is trusted by design. Caller ID spoofing is the result of this protocol and the regulatory requirement that telephone companies (telcos) complete all calls from competitors.

[TProphet] didn’t mention the legitimate reason for caller ID Spoofing. Your humble author spoofs the caller ID of his office phone. Why? An Asterisked phone system (running off a Raspberry Pi) connects to both a Plain Old Telephone System (POTS) line as well as a VoIP trunk. Incoming calls to the phone number, as well as outgoing local calls, go over the POTS line. Long distance outgoing calls go over the VoIP trunk, as the per minute rates are significantly better. In Asterisk, when routing the outgoing call, there is a simple routing command that sets the outgoing caller ID information. It’s accurate information in this case, but this is the exact same process as a robocaller uses to spoof calls.

Most hotels and other large businesses do spoofing of some sort, in order to show all their calls as originating from their main number. If the caller ID is set in order to funnel return calls to the primary incoming phone number, all is well. If the spoofed number doesn’t serve to allow returned calls, but instead is intended to deceive, then fraud has occurred.

Can Telcos Block Spoofed Numbers?

So what’s the solution? The FCC has recently taken aim at robocalls, and has changed its regulations as part of this push. Telcos are now allowed to block spoofed calls that claim to be originating from disconnected numbers, as well as certain other obviously spoofed numbers. Cell phone companies have started showing warnings about incoming spam calls, and even blocking some calls.

Part of the reason for Gmail’s rapid growth was its excellent spam detection. Now that telcos and cell providers have some regulatory breathing room, they are beginning to compete for the best robocall blocking. T-mobile, for instance, uses a service that monitors call originators for recent call volume. If one location just fired off a thousand phone calls, it’s probably doing robocalling. If you’ve seen a caller ID message of “Spam Likely” on your cell phone, you’ve been the beneficiary of this service. [TProphet] even described a scheme to catch and block spam calls as a service. At the end of his talk, he outlined how the SS7 metadata included with a spam call could be categorized and scored, in order to determine how likely a given call is to be spam.

This is very similar to the operating principle of Spamassassin, one of the more popular open source email spam filters. Just as Spamassassin looks at the email source, headers, and text; a robocalling filter could look at the origination, timing, and other metadata to determine a spam rating. The parallel between robocalls and email spam would suggest that robocalls will never fully disappear, but better service and smarter regulation will eventually reduce them to an occasional annoyance.

History Repeats Itself

The unity of the telephone network has turned out to be one of its major strengths — Imagine a world where you needed an AT&T subscription, a Sprint subscription, and a Verizon subscription, just to be able to talk to family and do business. The regulatory agreement with AT&T, combined with later legislation brought about this unification. However as we’ve seen, it did come with unintended side effects, like enabling robocallers.

There is another regulatory good idea that could have some unintended side effects. Net neutrality is the idea that Internet Service Providers (ISPs) should provide neutral internet service. We pay our ISPs for our bandwidth, and it’s reasonable to expect that bandwidth to be provided without services being blocked or throttled. Net neutrality regulations would insist that ISPs deliver packets in this unbiased way.

To be clear, I’m of the opinion that net neutrality is a good idea. An ISP shouldn’t be able to shake a customer down for a higher monthly fee, just to get unthrottled access to a competitor’s video streams.

In order to ensure net neutrality, ISPs were temporarily reclassified as “Common Carriers”, similarly to how the Bell telephone system was regulated. In order to understand how this classification might be a sub-optimal solution to achieving net neutrality, consider what traffic ISPs regularly block. For example, port 25 is reserved for the Simple Mail Transport Protocol, and is routinely blocked on residential internet connections. Why? Port 25 traffic from a residence is almost always spam, being sent from a compromised computer. Would an ISP regulated as a common carrier be allowed to block that traffic?

Regulations often have unintended side effects, and bodies like the FCC are usually slow to update rules to fix those unintended consequences. The requirement for all telephone networks to play nicely together opened up the call spoofing vulnerability that delivered this abundance of robocalls. So far fining robocallers and having regulators harrumph at telcos hasn’t solved it. The balancing act for any network is to keep it accessible to legitimate traffic without compromising the ability to combat traffic that is clearly malicious or fraudulent.

111 thoughts on “Hello, And Please Don’t Hang Up: The Scourge of Robocalls

  1. The numbers are just spoofed numbers local to whomever they are calling. They often belong to real people. A few people I know, myself included, have received callbacks from people telling us not to call them anymore.

    1. Apologies for the report… I hit the wrong button to respond.

      My actual response is something along the lines of what you mentioned. I have 2 cell phones. One for work, and one personal. I have my work number forwarded to my personal phone so that I don’t have to carry 2 phones. I usually leave my work phone in the work truck and the battery drained 99% of the time, only charging it to use it as a wifi hotspot when necessary.

      I have received numerous robocalls from my work cell phone number and usually receive at least one call a week from someone asking who I am because “you just called me”. It can be extremely frustrating, especially since the callbacks usually happen at inopportune moments breaking my concentration which may take a while to re-achieve.

    2. actually the spoofing has been getting a little more in depth. Now they are generating these lists off of stolen contact lists. Then they use a persons contacts with numbers to which they use someone on that list as the spoofer so it looks like someone you know is calling thus making it even more difficult to tell if it is a spam or real call

      1. Yea, I suppose there are people who are stupid enough to interact with callers who obviously are not the person their phone tells them it is. If my aunt Emma is calling and it’s a guy trying to get me a better rate on my credit card, its pretty obvious what the wise thing to do is.

    3. I’ve even received a spoof call from my own number before. My tactic now is to get a number with an area code from some place where I don’t know anybody, then use an app like Mr. Number to blanket-block any calls coming from that area code or the ones nearby. It works alright. There’s a lag with that app before it reads the number and rejects it, so I still get irritating interruptions.

      I want to only buy data and sms service for my cell phone. I want to cancel voice calling entirely, to not be able to receive calls–full stop. Maybe emergency only for 911 or whatever. I’ve done minimal research on how to do that, and from what I’ve read it’s very difficult with many carriers, and they’ll only allow you to turn off calling temporarily and with good reason.

      Voice calling is almost completely broken. Nearly all real humans communicate in many other ways now. I only use it to talk to my dear old mother, but I’d rather ditch it entirely and talk to her using hangouts or some other video chat on my laptop.

      Does anyone know of a good and just carrier that allows you to leave out calling? Google Fi maybe?

      1. No I have to completely disagree. I hate typing on the phone – full stop. I use text messages only if it is at a time where I know, I would disturb somebody or if I can not reach him with a voice call. And then often it’s just “call me”.
        If I receive a text message and there is any chance to reach the other with a voice call, I call back.
        It is also a question of transporting emotions, which is – at least partly – possible with a voice call, but not in a text message. They inflation of smiley faces does not help in any way, there are so many now, that they are often barely distinguishable. :-( I stay with the classics.

  2. So the call after leaving the premises hits the exchange, where it’s routed right? Why can the provider not look at the caller ID, and go ‘Ok, call from customer with number 123 is connected directly to this exchange, carry the call’ and ignore any that don’t originate in the right ‘pot’ of numbers for that exchange? It wouldn’t take long to notice at *some* exchanges there’s a hell of a lot of calls which aren’t getting connected, and this is because there’s someone connected directly trying to spoof every time they dial out. Hell, I’m pretty sure that places like Hotels which do spoof their numbers, legitimately, are likely paying for the right to do so….

    Sure, it’s extra work but isn’t everything?

    This is how much anti-spoofing for the internet works, routers often don’t allow packets from private IP ranges arrive on their public interfaces, etc.

    1. Obviously if the reason for this not being possible is the insane common carrier rule, that needs fixing. But this isn’t about accepting calls from other providers, this is about the fact a carrier is accepting a call from someone clearly spoofing their number.

      1. Phone spam and robocalling continues because the telcos make money from both ends: big bucks from the spammers and robocallers for trunk services and ID blocking, and a monthly chunk from each of us for the privilege of recieving all that phone spam.

    2. It can be done but not easily.

      For example at work we have 2 trunk lines from 2 different companies. One has everything we want but they couldn’t get a completely separate line to our location as a backup when we started so we went with a second company.
      The second line is only ever used for outgoing calls when the main line is getting saturated or as a backup line.
      Problem is our exchange just spoofs our numbers from the other company on the outgoing calls. It’s legit because we asked how we had to set it up and both companies recommended to do it this way.

      Other example is the example in the article. Spoofing your main number for your outgoing long distance voip calls to avoid having 2 numbers but take advantage of the better pricing.

  3. They arent only using disconnected numbers for the spoofing. I have many times received call backs from a real person claiming I called them. It was the same person more than a few times. So my number was used as a spoof. I think they literally just use every number in an area code associated with yours, incrementally.

    1. Also, why can they not use geographic location? The spoof call is likely to originate from outside the area code its claiming to be calling from. Is this not possible? I think for cell phones that would be roaming, where it would be legitimate, yet in another locale, that would be easy to handle as well.

      1. I have a Tucson, Arizona area code on my cell phone number. I live in Texas. Should all my outgoing calls be blocked just because I have taken advantage of the fact that a mobile phone is indeed mobile?

      2. Disregard my last comment. I missed the part of your post about cell phone traffic, but the point is still valid. Using an “Area code” to determine call origin location was made obsolete when the first mobile phone was created.

        1. Well, number portability is really what did it. Roaming cell phones still were serviced by a cell phone provider, and thus out-of-area sourcing as legitimate was still reasonably separable from spoofing even in that universe.

      3. Before my Dad passed away we transferred his home number (which he’d had for 40 years… before the AT&T breakup) to an Ooma Internet phone box at my house. I don’t know where Ooma originates from, but the physical location I gave them for E-911 is a *long* way from the original area the number was at.

  4. “Caller ID spoofing is the result of this protocol and the regulatory requirement that telephone companies (telcos) complete all calls from competitors.”

    So the telco version of NN?

  5. If your ever a tourist in Edinburgh pop into my work and answer the robocalls for the day, will allow me to concentrate on earning money :) .. sadly its not a U.S only thing. but for sure the tel-co company’s need to put an end to it.

  6. As I understand it (someone with more knowledge, please correct me), these scum are using VOIP (Voice over IP) to PSTN (Public Switched Telephone Network) gateways to access your phone. So the originator is somewhere in the Intertubes, and initiates a call through the VOIP gateway so as not to be identifiable.

    What I don’t understand, is how these thousands of calls a day, through a VOIP gateway, are not manageable. Someone, somewhere is operating this gateway to the PSTN, and paying some carrier for access. It should be fairly easy to identify them through their traffic profile (lots of short calls interleaved with lots of no-answer calls) and disconnect them.

    Why is this not possible? You can’t whack the robocaller, but shouldn’t he be vulnerable at the point where he connects to the PSTN?

  7. A simple partial solution would be for Apple and Google to add a feature to prevent ringing from unknown numbers, eg. numbers you’ve never called or accepted a call from. In the case of the latter, even if you answered a robocall, subsequent calls from that scammer would likely be from a different number anyway.

    I’m surprised Apple has not pursued this, or I imagine they’re working on it and we’ll get it when they think it’s ready. I’m ready now though: I get far more robocalls than real calls.

    1. Your use of such a feature would mean that a loved one in an emergency, calling you from a borrowed phone or a pay phone, couldn’t reach you. Are you sure you’re willing to pay that price in order to stop spam calls?

      1. That is a good point. That price is hypothetical though: I don’t recall the last time I received an emergency call from or on behalf of a loved one.

        As it is, robocalls’ prevalence means I generally ignore calls that aren’t from known numbers.

        I moved away from my phone number’s area code, but most calls come from unknown numbers with the same area code and prefix: robocalls. I’d love to just block those, but there aren’t tools for that either.

        My point is that receiver-side blocking methods could help a lot, and I appreciate your comment.

        1. Thanks. What I’d like to see is an app that answers a call silently in the background, then prompts the caller to enter a PIN previously agreed upon between the caller and the recipient. If the PIN isn’t valid, the call simply doesn’t ring through, and the recipient isn’t disturbed, although a record of the call may be retained. I see some potential security pitfalls with this approach on a smartphone, but if they could be worked out, I think such an app would meet a lot of people’s needs. Over the years I’ve often thought about creating that feature for my land-line via an FXO adapter and Asterisk, but never took the time.

          1. No need for a PIN. Ask called to press 1 to connect, as soon as it answers. That will block 100% of robo calls, and 99.99% of telemarketer calls because they won’t hear it. Legitimate callers can always get through. I use this on my VoIP home number and never get junk calls. Combined with a white list, known callers never get the prompt.

          2. This is exactly what nomorobo does – but instead of doing it to all calls, it does them to questionable ones. Every once in a while, I get a call from a 202 number, and that’s nomorobo re-forwarding a false positive.

          3. I have this very idea implementated in a Raspbx box, powered by raspberry and a 3g modem as gateway. You should press 1 to continue with the call. Just that stopped the whole robocalling.

        2. Try an apk from play store called ‘ should I answer’ it uses a community database to block calls from known scammers. It also has a option to ‘ send all calls NOT in contacts to voicemail’
          It works better than my carriers version of call blocking.

  8. Interesting that prosecutors *can* trace back a call with spoofed number. Not just in US fantasy shows, but in real life. Here in Europe, you can even tell your telephone provider to activate their tracker for you, so you can get the REAL number both for spoofed numbers AND for hidden numbers.
    I am not sure, though, if you could get a criminal that is using the US as her base of operation. My guess is that “freedom” (TM) prohibits that.

    1. What’s real annoying on newer TV shows is they’re still most of the time doing the “We have to keep the kidnapper on the line long enough to trace.” BS. The telco systems have the records. Computer electronics are very fast. With a warrant for a wiretap and things setup when the call comes in, the trace should be instant.

      For cellphones it’s been possible to triangulate location from tower signals for years. That came about after an infamous case where a couple was abducted, the man was forced at gunpoint to drive to a place he didn’t know. IIRC he was shot and his wife was shot in her back through the back of the passenger seat. He called for help on his cell phone, someone in the police department hit on the idea of having patrol cars individually sound their sirens so they could listen for the sound over the phone to home in on their location.

      The killer was never found, nor was the gun, yet the police determined the man had shot his wife and himself. How he shot her through the passenger seat back while he was in the front passenger seat… There was no evidence to prove he killed his wife but they police “knew he did it” and wouldn’t look for anyone else. The police hounded him literally to death demanding he confess to murder. He jumped off a bridge.

      So from triangulating with police sirens over a cell phone came the concept of using the phone tower radio signals to locate the phones.

      1. It’s *possible* to do something similar to tor with voip. That would take some time to unwrap, particularly if the incoming termination of one leg was separated from its paired outgoing with, say, a VPN (private VoIP, in a way). Blue box hackers did this sort of thing all the time back in the day. I could imagine well heeled criminals being able to make calls that would be non-trivial to trace.

        The thing that seems unlikely to me is the need for criminals to place anonymous and untraceable phone calls in this day and age.

  9. I have a cell phone number from an area code where I haven’t lived in 16 years. I only know a few people from there so if I get a call from an unknown number in that area code, I know I don’t have to answer.

    Also, I got a Google Voice number the last time I moved, which is the number I give to people and businesses if they ask me for a phone number. When I don’t expect a call from such a business, I have Google Voice on Do Not Disturb. This has saved me a lot of annoyance over the last few years. Especially around election time. My wife got literally hundreds of calls in the weeks before the elections last week, I got zero.

  10. “Robocalls (as well as shootings) are a pure U.S. plague.”

    LIES.

    Please never visit the US. Especially the really nice places to live, where people like me shoot back at criminals, and the criminals know it.

  11. -Your car’s extended warranty is about to expire.
    -This is Alice from Visa card service.

    Both of these recordings follow the conference call ‘boop’ sound, much like skype.
    Some are magicJack devices that you can report to the magicJack support line.

    My favorite was an IRS scam. You could hear the tone indicating that the message was some kind of voicemail.
    For those who don’t know, you can hit the # symbol on you phone to access your voicemail from another phone number.
    After hitting #, I tried 1234 as the password. The next thing I hear is “Main Menu.” I changed the greeting, saying it was not the IRS, it was a scam, and to not give personal information to this number. Oh, and I changed the Voicemail Pin so it couldn’t be changed back. I know this isn’t legal, but neither is stealing money from people by claiming to be IRS.

  12. One way to partially combat this practice, answer the call and be an unwitting stooge as long as you can. They are sly though, as soon as you seem to be stalling or wasting their time you hear your old friend BUZZZZZZZZZZ! Now instead of every hundredth call being a sale every tenth call is an asshole like me wasting a telemarketers time.

    1. My wife and I were watching one of those “How movies are made” shows on the discovery channel. On thing that they described was a trick they use to simulate dialog in crowds. They have the extras that make up the crowd say “Watermelon, Cantaloupe” over and over. It creates a convincing murmur. So now when we get a scam call we respond with “Watermelon, Cantaloupe” over and over until they hang up. It’s hilarious when the caller speaks English as a second language. “Mr. Cantaloupe, I am from Microsoft tech support, you have virus…”

      1. Well, it’s a cheap hobby, annoying spammers.

        I’m retired so when I’m just reading my mail or something I’ll entertain the “windows” guy. When I get bored I’ll go to the toilet with the phone to give him an earful, or tell him I’m rebooting and it takes a looooong time with all those viruses ya know, or just “hold on while I get my credit card” and go take a nap.

        Anything which occupies his time keeps him from calling another mark.

  13. I’ve been using PHONETRAY (dot) COM for many years now. It is pretty successful. However, you need to buy a USB Voice modem as it fakes out the callers with pre-recorded audio files. One even sends the AT&T disconnect tone then the standard disconnected message.

    It is so very unique in that it can look at combinations of spoof patterns like the spoofer using your own local exchange (or your exact number) to fool you into answering. You just set it up with wildcards with your area code and local exchange (we have 10-digits here in USA). You know that you don’t know anybody from that exchange and they could call your other phone if they are legit really need you. Just don’t give this number out, so everybody is suspect.

    Block all out incoming calls that are not in your area code (out of state/province). But you can white list those relatives in certain area codes. It’s very flexible. You can black list specific area codes, local exchanges, and specific numbers. You can also have one-click instant address lookup from their website. It checks for spam complaints and potential physical address (if its not spoofed).

    It has time of day blocking. It has a database style breakdowns by days or weeks or months, That way you can track trends on multiple spam attempts to you. Some of the audio files are funny too. So you can screw with them. Just turn your ringer off and just let the program do its thing while you listen in background. You can even setup custom ringtones.

    The only way for square John’s like us to get the REAL phone number of callers is to have a real toll free (1-800, or 8xx #, WATS line), not just a 800 forwarding number. Those systems use CALLER-ID and ANI. Most people have never heard of ANI and when they call the WATS line the spoof does not work on it. Its like calling a 911 number and is ALWAYS identified by ANI. Big companies and banks use it because its a free call for their customers and it protects the business from dangerous people trying to hide their identity, and its expensive. Never call a WATS line with some stupid shenanigans call, your real physical address (CN&A) is available to phone company security. VOIP won’t help you hide from WATS. ANI is used for telephone accounting purposes. Your home phone also has ANI capability but is not available for monitoring to regular people.

    I believe that ANI monitoring is temporarily activated at your home if you contact the Feds about something very bad in where they need to be at your home to listen to your calls from bad guy callers. Its not like in Hollywood in where you need to keep them on the line for 30 seconds to trace the call. The trace is instantaneous even before you even answer the call. And the system can be automatically routed to CN&A that displays the exact subscription location of the calling subscriber. I believe it uses the black and yellow pair and not red green pair or tip and ring to send the digital data to the field agent.

    I might not have covered everything about both topics I posted. But you can do your own research. I may even be outdated a bit. In any case I don’t want to connect too many dots here.

    1. ” Never call a WATS line with some stupid shenanigans call, your real physical address (CN&A) is available to phone company security. ”

      Apparently not enough to stop swatting.

      1. @Ostracus – Technically to SWAT someone you have to call 911 and your real subscriber physical address is displayed. But a foreign LEC will not allow 911 access to your police dept if the swatter is in a different or foreign LEC (or different town).

        The swatter would have to call the routine PD number and that would cast suspicion on your fake-arse swat call. I mean who calls a routine PD number to report a man with a gun on the roof? They can still trace the call even on a routine line. The metadata is still preserved on all calls to a PD since they are now matrixed to DHS for natsec reasons.

        Swatting has got to be the stupidest trick to pull as all you’ll get is the swat team at your place instead. Hollywood can be stupid sometimes. They make stuff look so easy and the real deal just laughs at Hollywood’s attempt to connect the dots.

        Just look at how they depict 555 numbers, call tracing, snipers, car evasive moves, car crashes, lock picking, etc..Enemy of the State (movie) depicted the best lock picking scene I’ve ever seen for Hollywood. The 2 NSA-CSS agents used a electric gun key (tell tale sound) and I said “cool!”. It wasn’t instantaneous as others depict it. It was clumsy and slow. And most others always forget the wrench and just use a single rake, and are inside in a impossible NY minute.

  14. We live in a very small town and there are only a handful of numbers on our exchange. It is humorous how many calls come in spoofed with our area code and exchange. The thing is I only give out my google number so if the computer does not also ring, the phone can go to voicemail. My cell rings too but we are far enough out that you can’t depend on cell service.

    Back when I was a kid, many decades ago, we had a problem with a crank caller. The cops and the phone company were as useless back than as they are now. My dad put an end to the crank calls though. He brought his short wave radio into the kitchen and kept it turned on and tuned into one of the heterodyne whistles. He could adjust the pitch with the tuning dial. Fo the early 60’s is sounded vary high tech. Eventually the crank caller called us and dad turned up the radio a bit and started tuning around, and said a bit loudly to my mom, keep him on the line, we almost got him now.. The guy never called back.

    1. @rfi – cool. That’s reverse social engineering!

      Here try this next time: Get a tape recorder and play this YouTube video into it (/watch?v=D7ZZp8XuUTE ). Then answer the call saying this in a gruff terse voice: “Thirteen forty one – This is the major – proceed with your traffic…” That was the time in military format. Then say something like this if they don’t respond: “[touch tone 1-9-9] start trace 13:41”

      You can also have your Telco save metadata of call immediately after disconnect for your local police to followup later by pressing star 57. Then call police on the routine line.

        1. Metadata also includes international telephone numbers. The police could decide to hand it over to a higher power if they deemed it important enough to pursue. But I’m afraid you’re correct, it wouldn’t be important enough for them as its just a robocaller from Lagos Nigeria.

  15. I would argue that ISPs should be common carriers and they shouldn’t block *any* ports at all. The issue arising from port 25 is due to a lot of other factors. If these are compromised machine doing the spamming, then we clearly need to improve security. This same blocking of port 25 is on of the things that prevents people from hosting their own email account, rather than entrust their personal correspondence to google or microsoft or whoever.

    In an ideal world, the ISPs would provide a pipe that would be perfectly transparent, simply delivering packets I sent to whoever I address them to and returning any packets that someone addresses to me. Barring physical limitations (blocking DDoS attacks when the sending address can be clearly singled out) there should be no interference inbetween.

    With the phone system, every incoming call demands human time and attention. With internet protocols, I run applications that listen to ports and explicitly receive traffic I’m interested in, and my OS drops all other packets. (On an uncompromised machine) I run programs which send out packets to accomplish tasks and request resources I’m interested in. Anything outside of this definition is automatically dropped on the receiving side or never gets sent out, or is a problem with other higher-level systems and should be fixed there. There’s no need for the “pipe” inbetween to muck with my traffic and an expectation that it won’t.

    1. Blocking port 25 egress may stop you from running a mail server on a residential connection, but those are generally dynamic IPs anyway, which makes running a server more painful than it needs to be.

      Nowadays anyone who would want to run their own mail server has any number of VPS providers to choose from. And if they properly set up their server’s submission port (587), then the port 25 egress blocking from their ISP isn’t a problem for sending mail to it from home either.

      I’ve been doing exactly this for close to 15 years now (and it was a real server in the garage and we had static IP service for another 10 years before that).

  16. I have a problem with spoofed calls. Only problem is that as soon as I say “hello”, I get dead air. Also, most spoofed calls end after ringing 3x. Whenever I try calling the number back. I get the message that the number is either out of service or has been disconnected. For now on, I ignore any call I don’t recognize.

  17. We need a FCC that isn’t in the pocket of the telcos. Any politician who promised to go after these scumbags would get elected in a landslide.

    Meanwhile, I like to “press 1 to speak to a representative” and lay the phone next to my radio speaker, just to tie up their line (hope they like classical music). If it’s “windows”, and I’m bored, I’ll string them along for quite a while before I admit I’m running Linux, and I know they are criminals.

    The last rumor I heard was that not saying anything when you pick up the phone will reduce the calls. So far that hasn’t worked.

    1. There’s been a spate of these to my number lately, although they’re calling from Sydney or Melbourne numbers. Mostly I ignore them, but occasionally I’ll answer. One fellow asked if I was the main user of the internet, and I said no. He asked to speak to the main user, and I said no. He asked why, and I said the main user wasn’t home at the moment. He wanted to know when he should call back! Then I told him I knew it was a scam, and what would his mother think of his behaviour. He ended up screaming that he needed to talk to the main internet user.

      Another caller, female this time, told me tearfully to “shut up” when I gave her the same treatment.

  18. Not just spoofed numbers. I’ve seen a lot of malicious smartphone apps that will just use the phone number of the phone it is running on. The apps look normal (And are usually generic shovel-ware bullshit), except they ask to be able to make phone calls and request internet access. The app then downloads a list of phone numbers and an audio file. Then it will periodically dial numbers on that list, then play the audio file it got, pushing it into the phone’s audio stream. If the other user hits the proper number, the app would then just transfer them to the scammer’s call center.

    A lot of these apps were your standard “copy whatever is popular at the moment”. My first sample was a Flappy Bird clone. Then there were a few Pokemon Go “companion apps”. Two weeks ago I found some that were ones claiming to help you vote and/or allow you to vote by phone. Although there was a set that was particularly clever, it was intended to be a “Prank” app that lets you put in a phone number and it would call them and play whatever ‘prank’ audio you selected and let you hear the response back.

    (I work for a company that does managed Mobile Device Management. I work in the lab when we see our clients’ manage devices start going wonky, so we’ll rn some diagnostics on the phones and then pull any apps we don’t recognize and then rip them apart)

  19. Don’t call back on any scam call! https://www.fcc.gov/consumers/guides/one-ring-wireless-phone-scam

    Google Voice is used by a lot of scammers, and Google doesn’t care. They have no way to report criminal use of their service except for a public forum they ignore.

    One way the scam is done is you put an ad on Craigslist, Facebook Marketplace or some other online sale site.
    You get a text message asking if the item is available.
    You reply that it is.
    The scammer asks if they can call you.
    You reply that they can.
    The scammer’s next text message says to enter the 2 digit code they’ve sent so the call with go through.
    DO NOT DO IT!

    If you enter that code they’ll have your phone number on their Google Voice account. I did that once and the next morning I was getting calls early in the morning about $700 a month house rentals in Boca Raton and other expensive locations in Florida. You can complain to Google until you’re blue in the face GOOGLE DOESN’T CARE! 500 people can post that a specific GV account is being used for scams and Google won’t lift a finger. “Don’t Be Evil” my arse. They’re perfectly willing to sit there and let evil people abuse their Google Voice service.

    After I figured out what was going on, I started asking callers where they’d seen my number. Most would just hang up but eventually some told me. I then looked on the real estate sites and found ads with my number. The scammer stupidly used the same name and e-mail and other information on all the ads. I called them and explained the scam and got them to kill the scammer’s accounts and delete all his ads.

    The calls stopped, for a couple of days. The scammer was now posting fake rental ads in Boston, still with all the same info. Then I found how to take my number back on Google Voice. I had to setup an account and go through a procedure to connect my cellphone number to my GV account. Google did not make that information easy to find. I don’t use my GV account at all. I have it just so that my cellphone number can’t be connected to anyone else’s GV account.

    A few months ago a scammer tried that again. I already had the crook’s number in my phone’s block list from some time before, the second time someone tried that scam on me. It was probably the same guy who got me the first time.

    1. I wouldn’t post a phone number on such an ad. I’d just do the craigslist obfuscated email thing and leave it at that. But that’s probably because the only CL stuff I’ve ever done has been free stuff I’m giving away, which affords me a lot more room to dictate terms and the like.

  20. I’ve been looking for a way to fight spam calls on my land line for many years – I even thought about building my own device but there was always problems that I couldn’t resolve. One problem is the fact that callerID signal doesn’t come in until after the first ring, so even if I design the perfect spam detection system, I will always be annoyed by the first ring. Another problem is random fake callerID so collecting ‘bad numbers’ is an endless task I’d rather not get into. But I think that I have found a solution. I’m considering the purchase of a cordless phone system by AT&T (CL82407) that can be configured to ignore the first ring! Many Panasonic cordless phones do this as well. Combine that with a free service like NOMOROBO. and you have the start of a pretty good system. The AT&T phone can also store a white list (allowed) and a black list (blocked) of phone numbers. For numbers that don’t fall into either category – like the spoofed numbers that appear to be in my exchange will get a recording “Press # to continue” or a “Say your name and press # to continue”. This should significantly reduce the annoyance that our land line has become. I only wish I could enter my white list from a PC rather than have to enter them on the phone’s keypad. Another cool feature – another white list where I can add callerID names like “CVS Pharmacy” which is a good robocall. Anyone else try hardware or software solutions to fight spam calls?

    1. If you are going to build your own ignoring the first ring is not that hard. Sadly for us, we have the worlds least expensive phone service and we only get 4 rings before it goes to vm, so we only get 3 rings after the phone speaks out the CID, and he phone service we have only has basic CID that is only the calling number, not enhanced CID that also commonly has the name as well. I have to say I like the new panasonic cordless phones a lot. The talking CID and the phonebook sync are handy. No more worrying about whose phone has the take out pizza number in it…

    2. >One problem is the fact that callerID signal doesn’t come in until after the first ring, so even if I design the perfect spam detection system, I will always be annoyed by the first ring.

      I tought about this. I would put a relay between the telephone line and the telephone, combined with a ringing detection circuit (basically an optocoupler with a capacitor in series, at least in my country ringing is high AC voltage), an Arduino (or your favorite µC) and a caller ID detection circuit (like the HT9032D, avaible @taydaelectronics, outputs standard serial @1200baud). In normal state telephone is disconnected. The Arduino waits for a ringing signal, reads the caller ID, matches it against a black- or whitelist and decides to activate the relay or not. If the relay is activated the second ringing (and further ones) will go strait to the telephone.
      2 problems with this approach:
      – you won’t see the caller ID on your phone – workaround: add a display to your spam-fighting-thinggy to show caller ID (and name/other infos if you add some database)
      – if you want to make a call you have to press a button to activate the relay. – maybe you could detect when the phone goes on-hook to automatically switch the relay??

      Just some random thoughts…

    3. We’ve been deprecating our land line for almost a decade now. Whenever it gets a non-spam call, that usually results in a voicemail, which results in us contacting whoever it was to tell them we have better (cell) numbers for them to use.

      I’d just turn that number off, but I can’t quite bring myself to do it, since I’ve had that number for half my life now.

    1. Used to be the Road Runner, beep beep!

      I am also a Spectrum (rhymes with Rectum) sufferer, but we only get internet. We pay $5 a month for VoIP instead of Spectrum’s overpriced service. Buy your own phone box. We have an Obi200 and PhonePower service.
      We’ve never had TV service. Plenty of OTA channels in CNY.

      The 22nd congressional district race’s big issue is Spectrum’s raising of bills. Somehow it’s the incumbent Republican’s fault.

        1. WCNY. We go to Rochester a lot but their WXXI ain’t the same. We watch WCNY TV mostly (PBS) and the other family member watches her English costume dramas on the computer sometimes.

          We had a Verizon land line for 40 years and it got progressively worse; would short out every heavy rain. And was costing $80 a month with basic services (no caller ID, nothing).
          SNIP!!! Ahhhhhh………..

          The Obi box was $50, install was easy, ported our number for a few bucks. We have 911 locator, caller ID, forwarding, voice mail to email, and a load of stuff I haven’t even tried yet. $5 a month; there are even cheaper ones like Google Voice (free) .

          The only downside is that if the cable goes out, the phone goes out too. But we have cell phones for backup, and the cable has seldom gone out.

    1. Oh? All I get on my TracFone phone-phone are frustrated teenagers who find out I’m not their BFF from last year’s school class something. Or frustrated taxi cabs who can’t find their favorite name…… It’s GV I’m more concerned with, and I agree with the one who posted about GV not having the backbone to do the right thing regarding spammers….

  21. Although I get a “few” calls a month from unknown sources in my area code, they basically hang up. My adicve is NOT to hang up, and converse with this “human” going by an american name “Bob” “Joe: …and if your house is not on fire, KEEP their dumb ass on the line as long as possible.
    So yeah, you owe them money, IRS, your grandkid is in jail. …..DON”T hangup. , they will just call the next Mark. Run them around in circles, give them bugus credit or bank ancount numbers

  22. I remember posting years ago on how to stop spam. I said, whenever an email message is sent, have a time token or something sent with it along with a randomly generated code. When the server receiving the message get it, if the time code and random code match, the message is delivered to the inbox, else, it goes to the bit bucket.

    Now I remember years ago (2600 Magazine and Activist TImes Inc.) that caller ID is sent between the first and second
    ring as others have stated. Now, being that 2 telephone exchanges have to communicate with each other to complete a
    call, why wouldn’t the same sort of query system work? the receiving exchange receives a call supposedly from xxx-xxx-xxxx.
    That xxx-xxx-xxxx exchange is queried for its timecode and random code, if they don’t match, call is never put through.
    Naturally the “real” xxx-xxx exchange would have no record of an originating call.

    For my cell, even though I’m on the useless do not call list, if someone calls, they get the SIT tone (the beep beep beep you
    hear before you get a disconnected or not in service message). So a caller would hear “beep beep beep” Please leave a message BEEEP” That it, no name, no other identifying information.
    This would also stop those annoying robo-voice mails. (….to lower your card rate press one now”)

    Another idea is to set up a ring tone for every person in your contact list.
    Then you make a ring tone that is the default ring tone that is nothing but silence.
    Your phone will ring for those in your contact list, but be silent for those that aren’t.
    The only downside to this is, if you’re expecting a call from someone not in your contact list,
    the phone wouldn’t “ring”. I guess the solution to this now that I think about it is, if you’re expecting
    a call and you know the number it’s coming from and you don’t want to add the caller to your contacts,
    you can always put your phone on vibrate for a little while.

    As for my spam, if I can an email addressed to “John Public” I know it’s spam and straight to the bit bucket it goes unread.
    For those forums that want an email address? me@yourisp.com
    For those Microsoft technical support scams? One question makes them hang up. “What’s my IP address?”
    Obviously if these bottom feeders can “tell there’s a problem with your computer” they must know your IP address right?
    Riiiiight? Their response is usually CLICK!
    Or I say, really? That’s funny since I don’t have a computer.” That one usually confuses them for a few….”

    Then you have those phony “Hi grandpa, it’s johnny and I’m in trouble and need money.”
    Those are the funniest ones. I usually reply “this IS johnny, who the hell are you?

    Unfortunately, there are websites (zabasearch etc). that list people, their relatives etc. that make this scam possible).

    Spammers and robocallers will always try to find out ways to outsmart technology and people.
    As for me, I’m originally from NJ, and have a wit so sharp, I haven’t met a spammer/robocaller I haven’t ticked off in
    one way or another. One lesson I’ve learned over the years never get into an argument with an idiot.
    They’ll lower you to their level and beat you with experience.

    -Signed, one curmudgeonly old fart that yells “get off my lawn!”

    1. John Q. Public said:
      “-Signed, one curmudgeonly old fart that yells “get off my lawn!””

      -Signed, one curmudgeonly old fart that yells “get off my PHONE!”
      There – fixed that for you.

      I did various things like taking a while to find my credit card, losing my place part way throgh reading off the (fake) number and having to restart over and over and over again, etc. One time I claimed my CC number was “five. Just five. I can’t see very well”. I think I started to “cry” when the guy at the other end pushed me to keep going. One time I tried to concoct a scenario where my big angry dog (audio sound effect) stole my CC and wouldn’t give it back and I chased the dog around, and that went on for a while. But that got old after a while and I just gave up on that stuff and moved on…

      1. I DO yell at kids to get off my lawn. :) What I don’t understand is, with all the time and equipment these robocallers etc. have, why they can’t work a regular job and earn an honest living?

  23. (In the voice of Jerry Seinfeld)…
    What is this obsession people have with having to answer the phone when it rings? Gotta answer it!!! Gotta get that call!!! Is this an example of a Pavlov reaction?

    Granted, when one missed a call back in the day of rotary phones, there was no way to know who it was and whether it was important. So yeah, gotta get that call. When touchtone came in, I don’t know if the “Star 69” callback thing was available or even known early on. So, OK, gotta get that call. (As bad as things are with today’s lousy caller ID regime, imagine what it would be like without any caller ID at all?)

    But now, on my android cell, I have a robust contact list, and the ‘Do not disturb’ set to only ring if it’s from the contact list. Even then I usually let it go to voicemail unless I’m expecting a call, and I tell frequent users to also/either send a text if it’s important, to give me an extra goose to check it. So far, that system has kept all the vermin away. And of course someone who’s not in the contact list can still leave a message – this allows me to check at MY convenience if the IRS is about to arrest me.

    On my legacy landline number, which I keep alive via Vonage voip (for legacy friends and relatives), I have the ringer muted and always let it go to voicemail, and after the call ends, Vonage sends me an email with the speech-to-text conversion of the call & message. So far it’s been Windows repair services, duct cleaning, and politicians. Again, these messages were checked at MY convenience. So no biggie – just more spam emails.

    1. Well, I wish there weren’t spam/robocalls/advertising at all. I think after over a half century on this planet, I’d be enough of a smart cookie to know when I want something. AARP kept sending me crap in the mail I didn’t ask for.
      Called em up and got off their mailing list. Unless the number is one I know and is in my contact list, I don’t even bother to check the voice mail. Maybe it’s just me, but I consider my time priceless and quite valuable.
      Why should I spend time and attention dealing with stuff that doesn’t concern me?
      If I wanted a lower interest rate on my card, I’d contact my bank. If I wanted (insert item here) I’d buy it.
      I remember when I was a kid, mail was for letters, not all the junk you get nowadays, and the phone was for
      talking to people. I remember one call where the guy actually said to me, “I thought you’d like….” and I replied,
      so, you’re in the business of getting paid to think for me? Wow, I started doing that when I was 2, and at my age,
      I think I’ve gotten quite good at it. CLICK! As far as the IRS arresting me, never had that one happen to me, but
      isn’t such things handled in civil court rather than criminal?

  24. I’ve received a spoofed call which linked back to the local county 911 dispatch. Don’t know how they managed to make the call reach that number, but I reported the incident to the local sherriff. Since that incident I no longer even answer unknown numbers. If someone (human) really wants to talk to me they can leave a message or text ahead.

  25. Isn’t it amazing we’ve had to come to this? The whole caller ID system needs an overhaul, but with all the current stuff
    out it would be quite a major undertaking. I still think my idea of a timecode/random code query is a good idea.
    If the caller ID system is software, how hard can it be to program something like that in?

    Doc, as for the 911 dispatch, caller ID is generated using standard frequency shift keying.
    If you’re old enough to remember the sound of a dialup modem, that’s the sound that gets transmitted between the first
    and second ring, a short modem burst that a caller ID device demodulates and displays.

    1. Caller ID has been meaningless for years. In fact, years ago, I decided to communicate that fact to friends and family by modifying my own Caller ID settings with my cell phone company using their web management customer interface. I decided to use something hamless and sort of amusing, but others could have made it say anything. Just think of the deception potential!!

      1. There’s the problem. The government agencies who regulate telecommunications shouldn’t allow that editing. Caller ID should be required for all businesses AND be required to be factual. For private phones the choice should be to either have correct information or no information at all. There should be exceptions for places like shelters for domestic violence victims and safe houses for witness protection.

        Could also allow complex phone systems where multiple numbers at a business all need to show as one number for incoming calls to the system BUT that one number and other CID info should have to be real.

        Eliminating caller ID spoofing is not an insurmountable problem, the telco regulators and the telcos themselves just won’t make moves to end it until they’re forced to.

        It was the same with “slamming” and “cramming” where people who weren’t the ones paying for the service could switch your number to another telco and/or add extra cost services the number owner never requested. you had to contact the telco and specifically request that they *do the right and ethical thing* to disallow all such changes without your permission. IIRC some laws finally got passed to force the telcos to always require permission from their customers for such changes. I had my landline slammed once. Suddenly was getting a bill, at higher cost, from a different telco. That’s when I found out about slamming and how it was up to the customer to verbally beat the telco about the head and tell them it’s not OK to be unethical.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.