<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Fun part is that just because it's a telnyx number with a
checkmark, it doesn't mean the call came from Telnyx, just that
the call came from a carrier that gave the call attestation A. As
the carrier, we can see who signed the call (it's an x509
certificate, signed by the STI-PA, with the carrier's name and OCN
in it) and hold them accountable for the traffic, which is huge.</p>
<p>But that's where the confusion will lie - a customer might say
well this is a verizon wireless number, i'll yell at them! But the
actual call came in through Lumen, and they're the ones who can
stop it. A carrier can see the cert, but you can just get the
verstat flag from the P-Asserted-Identity field in the call to the
handset and see that it passed the tests for attestation A.</p>
<p>Just because you don't see a checkmark doesn't mean signatures
aren't happening. Attestation B and C aren't displayed on the
handset (but are seen in the carrier's systems) and most androids
don't have a way to display stir/shaken stuff yet. T-Mobile
doesn't send the verstat header to handsets they don't verify as
s/s compliant (usually only ones they sell). My trick was to sim
swap into an iphone for a day, then back to my android which
started displaying the verification after that.</p>
<p>It's all new, but just because you don't see it doesn't mean it's
not there. Report the calls to your carrier, they have new tools
to track down the misbehavior.<br>
</p>
<div class="moz-cite-prefix">On 7/2/21 8:32 AM, Nick Olsen wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPr_aJbG+8Xb7nydCA6ScBi4fuGNo1VNdTzb1i8pEqR4JyUXzg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Not all have implemented it yet. But if you
haven't. You were supposed to implement some kind of robo
calling mitigation plan (Or atleast certify that you have one).
At $dayjob we're fully deployed (inbound and outbound).
<div><br>
</div>
<div>I received my first ever STIR/SHAKEN signed (iPhone Check
mark, highly scientific) spam call on my personal Cell phone
on 6/30. It was a Telnyx number. Had the call terminated to
$dayjob network. I fully would have collected all various
information and ticketed it with Telnyx.</div>
<div><br>
</div>
<div>Time will tell how truly effective this is. But we have
better originating information now (breadcrumbs) to follow
back to the source.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jul 1, 2021 at 5:42 PM
Andreas Ott <<a href="mailto:andreas@naund.org"
moz-do-not-send="true">andreas@naund.org</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jul 1, 2021 at
12:56 PM Keith Medcalf <<a
href="mailto:kmedcalf@dessus.com" target="_blank"
moz-do-not-send="true">kmedcalf@dessus.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">... and the end
carrier is making money for terminating them. </blockquote>
<div><br>
</div>
<div>Survey (of n=1) says: nothing has changed, aka the
new technology is not working. I just received the same
kind of recorded message call of "something something
renew auto warranty" on my AT&T u-Verse line. This
time when I called back the displayed caller ID number
it was ring-no-answer, versus the previous "you have
reached a number that is no longer in service". By
terminating the call the carrier made probably more
money than it would cost them to enforce the new rules.</div>
<div><br>
</div>
<div>Other than the <a href="http://donotcall.gov"
target="_blank" moz-do-not-send="true">donotcall.gov</a>
portal, is there a new way to report the obvious failure
of STIR/SHAKEN?</div>
<div><br>
</div>
<div>-andreas</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>