SITR/SHAKEN implementation in effect today (June 30 2021)

Michael Thomas mike at
Fri Jul 2 17:23:43 UTC 2021

People who are actually interested in this subject are well advised to 
read this thoroughly because it equally applies to SIP spam with a 
system far less complex and far fewer gaping security holes as STIR.


On 7/2/21 8:54 AM, Paul Timmins wrote:
> Fun part is that just because it's a telnyx number with a checkmark, 
> it doesn't mean the call came from Telnyx, just that the call came 
> from a carrier that gave the call attestation A. As the carrier, we 
> can see who signed the call (it's an x509 certificate, signed by the 
> STI-PA, with the carrier's name and OCN in it) and hold them 
> accountable for the traffic, which is huge.
> But that's where the confusion will lie - a customer might say well 
> this is a verizon wireless number, i'll yell at them! But the actual 
> call came in through Lumen, and they're the ones who can stop it. A 
> carrier can see the cert, but you can just get the verstat flag from 
> the P-Asserted-Identity field in the call to the handset and see that 
> it passed the tests for attestation A.
> Just because you don't see a checkmark doesn't mean signatures aren't 
> happening. Attestation B and C aren't displayed on the handset (but 
> are seen in the carrier's systems) and most androids don't have a way 
> to display stir/shaken stuff yet. T-Mobile doesn't send the verstat 
> header to handsets they don't verify as s/s compliant (usually only 
> ones they sell). My trick was to sim swap into an iphone for a day, 
> then back to my android which started displaying the verification 
> after that.
> It's all new, but just because you don't see it doesn't mean it's not 
> there. Report the calls to your carrier, they have new tools to track 
> down the misbehavior.
> On 7/2/21 8:32 AM, Nick Olsen wrote:
>> Not all have implemented it yet. But if you haven't. You were 
>> supposed to implement some kind of robo calling mitigation plan (Or 
>> atleast certify that you have one). At $dayjob we're fully deployed 
>> (inbound and outbound).
>> I received my first ever STIR/SHAKEN signed (iPhone Check mark, 
>> highly scientific) spam call on my personal Cell phone on 6/30. It 
>> was a Telnyx number. Had the call terminated to $dayjob network. I 
>> fully would have collected all various information and ticketed it 
>> with Telnyx.
>> Time will tell how truly effective this is. But we have better 
>> originating information now (breadcrumbs) to follow back to the source.
>> On Thu, Jul 1, 2021 at 5:42 PM Andreas Ott <andreas at 
>> <mailto:andreas at>> wrote:
>>     On Thu, Jul 1, 2021 at 12:56 PM Keith Medcalf
>>     <kmedcalf at <mailto:kmedcalf at>> wrote:
>>         ... and the end carrier is making money for terminating them. 
>>     Survey (of n=1) says: nothing has changed, aka the new technology
>>     is not working. I just received the same kind of recorded message
>>     call of "something something renew auto warranty" on my AT&T
>>     u-Verse line. This time when I called back the displayed caller
>>     ID number it was ring-no-answer, versus the previous "you have
>>     reached a number that is no longer in service". By terminating
>>     the call the carrier made probably more money than it would cost
>>     them to enforce the new rules.
>>     Other than the <> portal, is
>>     there a new way to report the obvious failure of STIR/SHAKEN?
>>     -andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list