We are getting more spoofed CID calls recently, with the icing on the cake being a spam caller reaching us using a phone number CID that belongs to our company. I was thinking of leveraging whats been going on with attestation lately to make a spam challenge for calls coming into our FreePBX.
I think I want to create a dynamic route (if possible, I can do it in dialplan too) that if the inbound call has a attestation of C I want the call to be prompted to press a random digit before going forward in the PBX. I’ve not seen where the letter grade is being assigned to the call, I believe the SIP Headers, but I am not sure which one, and what command I can use to expose the specific header (or less ideally all of them).
Can anyone provide any insight here? Is anyone doing something similar to achieve the same results (looking at the attestation of an inbound call)? Thanks all!
I am using Ringsquared for the provider, and they say they are sending it. I will turn on sip debug and capture the logs to share.
I did see this STIR/SHAKEN in Asterisk ⋆ Asterisk but if I turn this on, will if mess up my outbound calls on this trunk. I am looking just to review the inbound attestation with as little impact to the overall system as possible.
Currently I would not recommend it, we still have further development to do to update it to recent standards so it works properly. Certificate verification will likely fail as a result.
It’s a Call-Info header while I can’t see where “method” is a valid standard parameter it could be something custom being done by the carrier via Metaswitch. It probably looks weird because of that and you generally don’t see providers sending a Call-Info header with a call.
I’ll check with the vendor, but there’s nothing in there to suggest they are sending attestation to us, right? Where would it normally show on the INVITE message?
I will follow-up with the vendor to see how it can be passed. @Stewart1 once it is passed, how to I access the headers in the dialplan? P-attestation-indicator, for example.
A good example of my previous statement would be Peerless (and its other entities) are known for housing spammers. Those spammers use Peerless DIDs on the Peerless network, that gets them an A attestion. While meemaw is still on a carrier using SS7 with her 50 yo old POTS line will get either nothing or a C. Which means at the end of the day blocking C and allowing A scores means you blocked meemaw but let the spammer through.
They are a large carrier that is under the net of a parent company that owns 3-5 carriers. All of which have been known to house shady actors. A lot of robo calling can be traced back to their DIDs.
I considered that same thing and was scolded for considering it. The person told me that was not the intent of STIR/SHAKEN and that it was not my place to pursue the idea. I still believe that it has the potential to be a useful tool in an anti-spam toolbox.
For testing and data collection purposes, I added a feature to my system that sends me an email message with the attestation information for every inbound call. FlowRoute is my provider.
What I can say is that STIR/SHAKEN is not widely enough deployed to rely on attestation for anything other then curiosity-level information. In the future that should change, but for now I would not try to use it even to prompt for a CAPTCHA.
I would be more then happy to share my notification code if anybody is interested but I have only tested it on my system.
I have been running a CAPTCHA type spam-block on my system since 2012 and it is amazingly effective. My only problem now is that CAPTCHA fails are sent to “Lenny” and the volume of my Lenny recordings that are dead air or pre-recorded messages is getting too high.
However, just a few days ago I started testing a “greylist” feature and intend to develop a module that will let users implement it on their systems. I believe that, for my needs, such a feature will be very useful.
Would be interested in seeing what you have implemented. We are trying to come up with an adapted system that is on all the time, with the ability to turn it on for all calls if there is a large attack.
I have this idea, though I have not pursued it or fully fleshed it out.
Check if “greylist everything” switch is turned on, if yes send call to challenge
Check if caller id is on greylist or private/blocked, if yes send call to challenge
Check if caller id has called x times in y seconds, if yes send call to challenge
Check if DID has been called x times y seconds, if yes send call to challenge
Otherwise let call pass normally
Would be interested in seeing what you have come up with
The CAPTCHA system that I currently run is deceptively simple.
I used a module called “Dynamic Routes” that allows you to route calls using results from a database. For my personal home line, if your CID is not on the whitelist, then you are sent to a IVR that simply asks you to press 7, at which point my phone rings. If you do not press anything, you are routed to Lenny. Bots, scammers and others that use predictive dialers never hear the request to press 7 so they are sent to Lenny.
My main business line is similar, but with a more appropriate outgoing message.
My intent for a greylisting system is as follows:
“Whitelist” and “pinklist” calls ring through directly
“Blacklist” calls (This feature is one I won’t implement) are dropped
“Greylist” calls are added to “Pinklist” and ring through
Unknown callers hear “Call could not be completed. Please hang up and try again” and are added to greylist. A human will just try again, whereas a bot will either skip it or even actually delete the number from it’s list.
Both the greylist and the pinklist will expire CID’s after a specified period of time.
I am currently testing this on a couple of my lines. Too early to know how effective it is.
My opinion is that this system will be very effective at blocking scammers. Less so at blocking salespeople, so for that you would probably send “pinklist” callers to the challenge.