Robo / Spam Calls

Is there a decent csv file out there that has a recent list of common spam numbers, that one could import into the Blacklist in Freepbx?

Meaningless for the most part. Spam calls are usually created with a new CID for each call.


man, that sucks :slight_smile:

We have had one customer get spam calls from their own cell phone to their own cell phone! Spam calls are getting too crazy and we need number verification like we do with DNS.


I wouldn’t hold my breath on any sort of “number verification” service like DNS. I’m not sure what it would actually verify or do. Even if the number comes back “valid” there is nothing to show that the person on the other end of that call is a valid user of that number or a spam caller. The closest you’re going to get is a blacklist service like SPAMCop, etc. Which would be a database holding CallerID’s of known spam calls. That database could be dipped into or just like the op was requests, dump a csv file for local importing.

However, unlike email SPAM you won’t be able to have things like SPF records which tell SMTP servers doing lookups “Email from this domain can only come from these IPs” since all your incoming calls come for a trusted IP, your provider. Even with looking up to see if the number is “assigned” can cause false positives. The number can show assigned by the upstream carrier of record because it’s assigned to me but then I could just have it in stock or I could assign it to another person or even provider, who in turn assigns it or not.

There are things that could be verified like if the CallerID format matches a specific format. Some send all 0’s or all the same digit. Some will send a valid area code but then a invalid format (zero’s where there shouldn’t be zero’s, etc) or valid the length because sometimes it’s under 10 digits or even 7 and you know that isn’t right. Outside of that, it would be hard to verify a number.

The other thing you have to keep in mind is that outbound call centers will get real numbers in the ares they are calling because they either want to be called back OR they are skirting as much legal gray area as possible. Sure they are robo calling you but it’s their number, can’t slam them for fraud or misrepresentation.

@mike366 I would look a little more. There are tons of “bogon” lists for bad IPs, domains, etc. I’m sure someone has one for bad CallerID’s. It might not be a commercial service or offering it might just be someone that complied it and shared it somewhere on the Internet.

Here’s one, but it’s a massive list each day:

1 Like

… except that the spammers that are calling me (mostly to help forgive my student loans from the 1970s) are all now using real caller ID numbers of real people. Many of these people are just as annoyed about this as we are.

Cold calling is going to go the way of anonymous forwarding email server. I have thought about sending all calls that come to my numbers to an IVR that checks to make sure I know who people are. Anyone with a “new phone” will have to jump through the hoops.

And that’s why there are services and features like “Privacy Manager” in FreePBX, exactly for that.

[quote=“cynjut, post:7, topic:51379, full:true”] I have thought about sending all calls that come to my numbers to an IVR that checks to make sure I know who people are. Anyone with a “new phone” will have to jump through the hoops.

We just have all of our main TNs come thru a simple IVR at a minimum and screening enabled for any TNs that get frequented. Kicks almost all of the robocalls. Also have a block for restricted and anonymous that black holes them to ‘never gonna give you up’ in a loop.

Having personally played with the gov’s "do not call list " over a couple of years, I will make some observations, the full list is now approaching 300000 , BUT the real calls you get are almost always spoofed, and any number of legitimate businesses including Amazon and Fedex and the some USPS numbers are on that list.

The apparent old lady in Wheeling West Virginia who called is not the one trying to sell you Viagra or insurance. . .

Filing a complaint gets you nowhere . . .

You can’t stop Religious/Political/nor any party you do business with . . . .

Many robo-callers are bots, merely answering the call with voice is only when you get bridged to an agent on the caller side, answering and not speaking will get a hangup after a few seconds . One somewhat effective solution here worth exploring might be is sending unknown calls to a context that detects speech in the first few seconds (human generated calls) , asterisk’s amd() (answering machine detection) is a possibility, which will exit gracefully if a human is detected. Yes it is designed for outbound calls but the logic is the same for any call. If speech is detected, carry-on carrying-on :slight_smile:

Many other spam calls are well constructed and sound like a real person (that’s often called “human engineering” which I believe it was invented by a Nigerian Diplomat) , the trick here is you say something, anything , real people tend to stop speaking then and listen to you, if they don’t then there is a fair chance it is either your mother-in-law or a bot. either way I would hang-up at that decision point.

Your on to something here. Just not sure AMD is accurate enough for it. At Sangoma we have a product we use to sell called Lyra which was a great CPA (Call Process Analizer) that companies like Genesis used for along time among others. Maybe time to look at bringing it back for a service offering like this.

Yes AMD is hit or miss but the fundamentals it uses are pertinent.

(I analyzed my CPA before he absconded to Andorra with my money , once bitten . . :wink: )

1 Like

Yes, Please!

It’s coming. The protocols are called “shaken” and “stirred”. The system will use public/private key signatures to authenticate caller id. Once this is adopted by the phone networks, spoofing (and robocalling) will be ended once and for all.

1 Like

Haha! I can’t wait till the Protocol McProtocolface gets released and adopted. I predict that by the end of the century we will be teaching people how to learn IT using only meme style names. Java already started brewing it with their Java beans.

Posting this from within Linux Mint using Cinnamon with spices


No offense to this forum, but welcome to VoIP. Anyone using FreePBX with a little bit of code-slinging-fu can modify the CID to match the first 6 digits of the number dialed, then pick any 4 except the number dialed & present that as CallerID. Or pick any CID you like & send that.

Maybe the VoIP providers could step up & filter these sorts of shenanigans. I can’t see where anyone else in the chain would be able to.

Here’s what works for me: My cellphone is configured to call out the incoming call information. It will say “Call from” and then if the number is in my Contacts it will call out the name & which phone (home, work, etc.) and if not in Contacts it will just read off the number. When a call comes in, if it starts calling out numbers, I ignore it. All I have to do is make sure anyone I want to talk to is in my Contacts & Bob’s yer uncle. PS: I disabled voicemail too, so I’ve got that going for me.

I’m not sure what that is supposed to mean. It being VoIP has nothing to do with CallerID Spoofing or incorrect CallerID. If I set my CallerID to show “Blaze Studios <3135551212>” for example and then I call a Verizon number it is now up to Verizon to either honor what I presented as the CallerID or they will do their own CNAM lookup against 3135551212 and if what I have in the CNAM database is “Blaze Voice” then the Verizon user is going to see “Blaze Voice <3135551212>” because that’s what Verizon is going to present. However, the next carrier I call (let’s say ATT) may very well honor what I present as the CallerID so the user will see “Blaze Studios <3135551212>”.

Now even though the carrier may or may not have accepted my presented CallerID, it doesn’t matter because now the local device, be it your cell phone, another type of phone or a PBX may use their local “Phonebooks/Contacts Lists” to change the CallerID Name to whatever is in the phonebook/contacts database locally. So at this point it doesn’t matter what CallerID was honored by the carrier as the local user is now overriding it when it gets to their device.

Then there is the fact that many ITSP’s and carriers offer CallerID Name as an additional service for their DIDs. Some people make not even have CallerID Name enabled on their account so that means not only is the presented CallerID stripped by the destination carrier, they don’t do a CNAM Lookup either. At best you might get “Detroit MI” or some other generic name or perhaps no names at all just numbers. Again though, the local device (PBX/cell phone) contact’s list will still present the locally stored name that is saved for the number.

The only thing an IP PBX (like FreePBX) vs a Legacy PBX does different with CallerID is that a Legacy PBX 99% relies on the carrier to provide them with CallerID and 1% on a local contact lists (as many don’t support such a feature). However, with something like FreePBX you can run HTTP/cURL or other IP/web based requests to pull CallerID from numerous sources overriding what the carrier has presented.

So in the context of this conversation and topic it’s not “Welcome to VoIP” it’s “Welcome to Telephony” because CallerID spoofing is not a VoIP only issue. It’s an issue that has existed since before VoIP.

1 Like

Not trying to pick a fight, but you are apparently looking at this from the receiving end more than as a sender. I was referring to the difference between your telco provider sending the number they’ve assigned to you on a PRI, vs. VoIP sending whatever number you enter in (e.g.) FreePBX. Once the callee receives the number, yes, their cellphone pulls details from Contacts or their carrier pushes the name that’s associated with the incoming number; but the VoIP CallerID number that’s sent can be altered by many ways at the point of origin, NOT at the carrier’s switching station.

We went through this at the Call Center; where we were getting a lot of missed calls. Turns out, people would move (e.g.) from Indiana to Florida & keep their old cellphone numbers. Our FreePBX sets outbound CallerID by the Area Code, to present the main office number for that State (because a lot of people dodge toll-free calls too). When the called Area Code is not from a state we serve, we just present the main office number – which was NOT in the state being called. So our customers would see what (to them) looked like an out-of-state call & dodge it, missing important communications in the process of delivering their Service to them. Then they’d complain that “nobody called me”. So that’s how I found out how easy it is to send whatever CallerID I want on VoIP. When I worked on “Legacy PBX” systems (mostly Nortel & Avaya) and POTS, this issue never came up.

I’d like to hear how a Legacy PBX on a PRI can spoof CallerID, though. I’ve never even thought much about it until I had to fix it here.

Sure. Here’s a device that does it over copper lines.

I had a Cap’n Crunch whistle too. :wink:

Boxing the phones is great fun, but I still say it’s way easier in VoIP.