Ask HN: Why do I get robocalls from recently-called area codes?
Over the past few weeks, I've started receiving robocalls from area codes that I happen to have just called or received a call from.
At first I thought this was just me noticing a pattern that wasn't really there, but when I looked back at my phone records I could see that I had literally never received a phone call from either of these area codes, and that within a day of talking with someone in that area code I started getting robocalls.
Has anyone else experienced this? How would robocallers get this information — interception, buying it from my cell phone company, or something else?
Even if they're just buying a list of area codes I've talked to, this seems completely inappropriate. And if they're getting the actual numbers, that's even worse.
82 comments
[ 4.8 ms ] story [ 138 ms ] threadI get a number of local code spam calls, but have seen an increase in state code calls.
Are the area codes you're seeing local to you, or distant? Or, what's the likelihood that someone in your region would be calling the same area codes?
I previously received robocalls from my local area code, and random ones from around the country. But not from these area codes.
I know people like to pick on them because they do seem to turn a blind eye to all but the most egregious spammers, but Twilio is only the source of a lot of spam calls because they are a large carrier in their own right. It's like all of the people moaning about Californians being the most common place of origin for people moving to their area; that's true, because California has the most number of people.
Have you opted out of CPNI resale in your cellular carrier’s preferences system?
I really _really_ wish I could flag an incoming call to my telecom provider and get paid money for it charged to the caller. Then let the telecom provider prove that it was or wasn't malicious.
If you don't mind sharing, which provider are you using? And, if it is Verizon, have you opted out of data sharing?
I recently switched from using regular AT&T cell plan to a VoIP provider and a T-Mobile hotspot. After transferring my number to the VoIP provider, I've gone from 5-10 robocalls per day to one every few days to a week. Haven't received an SMS spam message.
I'm on Verizon
If people then put in the DTMF tones for 5309, or whatever code it might be this month, it initiates an outbound call to my actual cellphone and bridges the calls together.
In many cases I don't give out my direct cellphone number to 3rd parties, or anyone who isn't a close family member or colleague, I only give out the DID of the system with the filtering IVR on it.
I do still receive the occasional coldcall spam on my cellphone's direct number, which isn't entirely avoidable, but those are only random calls which aren't looking for me in particular. By only giving out the phone number of the filtering DID, I avoid my number being entered into many random third parties' CRM systems which are inevitably subject to data leaks, copying, data sharing with other 3rd parties, sales and marketing campaigns, etc.
If my phone number is already out in the wild (apparently), is there anything I can do at this point? Or is the only solution to get a new phone number, never give it to strangers, and only give out a virtual number with screening?
It has a SIP trunk to a wholesale voip provider, where several DIDs reside.
The incoming calls to the DIDs first hit my SIP trunking provider, which sends the incoming call signals to my voip server, which processes the call flow by starting with the IVR announcement I previously described.
It is generally the same idea as google voice with call screening but I have approached it from a DIY perspective where I want to have full admin access over everything, except at the SS7/PSTN level where the DIDs are at my SIP trunking provider. Everything related to the incoming and outgoing calls I can customize for other unique purposes.
1. setup an unconditional redirect for all calls on your cell phone to a voip.ms DID that you set up ($1/month).
This redirect functionality is baked into the gsm system:
https://www.geckobeach.com/cellular/secrets/gsmcodes.php
2. On voip.ms, setup an IVR with a recorded message. Set it up to connect extension “1-2-3-4” or whatever your code is to your softphone. You should be able to whitelist numbers to auto-forward to your soft phone.
Cool thing is you can setup voicemail through this so you receive them as email attachments. SMS still works through your cell phone. Outgoing calls still go through your cellphone.
How do income calls come in? Do I use an app instead of the phone app?
Does this introduce any additional latency into my inbound calls? I dislike Google Voice for this reason.
How hard would this be for someone to set up (assuming said person just had to google "soft phone" to understand your comment)?
Are there any security, reliability, or other risks to be aware of?
definitely there would be more latency.
2. Yes, more latency in most situations on incoming calls. Voip.ms does let you choose servers in different cities/countries, so your ISP’s routing starts to matter. It might be better or worse than Google Voice, I don’t have any experience with GV.
3. I think most people here could figure it out, but having to google “softphone” isn’t a great start :)
4. Nice thing about this whole setup is that you can turn it all off in a few keystrokes on your phone, and then your cellphone rings normally. You don’t have to worry about your phone number being lost unless you get sim-swapped. If voip.ms goes down, your incoming calls will stop until you deactivate it as above.
One positive is that you can set up your incoming calls to simultaneously ring multiple phone numbers and softphones if you wanted.
Next up is some kind of system that takes calls from places that you can never reach directly and instead call you back at bleeding-eyes-o'clock (eg doctors' offices), answers the call, and puts the caller on hold while I wake up. "Bucket of stomach fluid" can be a two way street.
My low tech solution is to never answer calls from numbers that aren't in my contacts list. Everyone else can leave a voicemail.
I think despite the obvious enumerability of phone numbers, most spam must be done off targeted lists. I've got a few SIP trunks with newly obtained numbers, and they don't really get spam.
Generally I don't answer unknown numbers since almost anyone that needs to reach me is either in my contact list, will reach me by Signal or another method, or I already know to expect a call from them. Of course this doesn't eliminate the possibility of receiving an incoming call from spoofed caller ID that is a perfect 1:1 match with an existing entry in my address book, but that's quite rare.
I can only avoid the ones that are the result of some 3rd party that has an entry for me as firstname,lastname,phonenumber in some CRM system for marketing database. It does help a lot on the targeted calls.
Then block all numbers on your phone except your system.
Or I could use exclusively a SIP softphone (zoiper) on my android phone to connect directly to my asterisk system as an extension, and only accept calls on that, which would come from the incoming filter call flow.
The downside of that is that phone calls wouldn't work when in very marginal data coverage/rural areas, since voip-over-LTE-data relies on a fairly solid and packet loss free network connection, and the additional battery drain of maintaining a persistent sip client-to-server session on the phone all the time.
I do have several extensions set up in zoiper for other purposes but I don't keep it running all the time.
I think the minimum std for voip is around 56k so you dont need much bandwidth, but data over mobile phone networks is typically a burst of data which is the opposite of landline networks. I could use freeswitch (asterisk rival) on 2.5g quite easily, but you really are at the mercy of a cell masts traffic management software, however in the android app store there are some apps which let you override the cell mast traffic management so you can remain attached to the cell mast of your choosing when you want to. That also helps you avoid being triangulated for location purposes.
Voice to handset always had highest priority as traffic, then text and then data, but the last two may have changed priority in recent years.
I don't have a direct cell number as I just use a cheap data-only iPad plan with my iPhone only, combined with a VoIP iOS client (Bria).
I use VoIP.ms for my service. It's basically hosted Asterisk with a nice web UI on top, as well as purchasing and managing DIDs.
Related, I used this system for a condo buzzer when I lived in a building a few years ago. Set my name on the condo dialer to ring a specific DID for the condo buzzer to call, pointed towards VoIP.ms IVR, then just played DTMF 9 repeatedly to unlock the door and let them in. I triggered an SMS to send to me when this occurred so I'd know when someone was downstairs on their way up.
Massive security hole, but not exploited once the entire time (except by me a few times when I forgot my keys).
I did the push so I’d be able to track unexpected usage and there wasn’t a single one the entire time.
i'm at the point where imessage is enough for 2/3 of my contacts, but wouldn't want to preemptively freeze out the other 1/3 (and i definitely don't want to use whatsapp or whatnot).
As a result my SMS usage is very minimal and VoIP.ms works well for the occasional 2FA code (from dumb banks that both force 2FA and only do it via SMS) or delivery notification SMS. In some cases the 2FA code doesn’t get received and I need to use the number assigned to the SIM. This works but I need to track which services do this so I have a tag in 1Password, just in case I need to change the SIM or provider one day.
In the case of the top-comment I wouldn't because it confirms that I'm calling the person I want to call. I guess if you'd make that change, you will probably catch a lot of your problems.
Difference between them going "I am calling to speak to penguincoder" (having gotten the name from MY message), or going "I am calling about your cars extended warranty".
I was lazier and just abandoned the telephone system altogether.
Especially look out for free utility apps and trivial simple games... They nearly all do something shady like this.
I thought the first was a coincidence because it was intrastate. The second one was much more suspicious because of the distance and my lack of prior connection to DE.
If landline has your phone company been hacked or your security services yanking your chain?
If mobile, is your device rooted? Is you sim card hacked? Any component with a cpu may have the ability to independently use the hardware, so a sim card phoning home independent of the phone OS, it all depends on how the circuit board is designed.
Your phone is listening and it's not paranoia (2018 https://news.ycombinator.com/item?id=28973345
LTE Phone Number Catcher: A Practical Attack against Mobile Privacy https://www.hindawi.com/journals/scn/2019/7425235/
Not the link I was looking for but it will probably convey the same info which is your Decap of a Cell Phone SIM card [video] https://news.ycombinator.com/item?id=12674846
And dont forget the arm processor used for wear levelling purposes in (micro)sd cards, also another attack vector depending on how its wired.
1. Often I will end an incoming call as fast as possible if it seems like a spammer. When you do this while the first ring is happening sometimes a few seconds later you will receive a second call from the same phone number. I then end that call as fast as possible again (without answering of course). I am hoping that some of these spam phone software systems have automated processes to mark numbers that are no longer dial-able.
2. Sometimes I answer as fast as possible and then play the oldschool sounds of a dialup modem or fax machine. I have even jokingly done this just making the sounds of a dialup modem with my voice. Many times the automated system hangs up after I do this. Again I am hoping they have something built in to their automated spam system to mark numbers that are fax / modems / non-people.
3. I have also tried answering the phone and then completely covering the mic or playing some simple white noise. This does not usually seem to work and eventually someone picks up. I doubt they are marking my number in this case as it has gone to an actual human.
I haven't found it to make any difference in terms of repeat calls, so I advise everyone to waste as much of their time as possible. My favorite is "ohhh, let me get my grandma" and put the phone down.
For SMS spam, I do my best to get them taken down ASAP. Report to their host (abuse@______, root@_____, etc.), their link shortener and SSL cert provider. I've flooded a few of their links too.
1) Pay for a real spam filter from your telecom (usually free in highest tier plan). It’s remarkable hope much it catches, and I have never received a complaint in 5+ years
2) Buy a long term burner— your telecom usually sells a reasonable plan, or free if you pay for high tier coverage.
Me: same cell # for 25 years-22 too many with sprint (good spam shield when it didn’t crash) and more recently t-mobile (great spam guard and burner (named Digits)—both free upon request if you have a sufficiently expensive plan)
I'd chalk it up to an app on your phone tbh. Android is particularly susceptible to this if you have READ_CALL_LOG permission on for some apps.
I called my cell carrier and they said that even they do not have my phone records until several hours later, and besides they don't sell phone records.
When I called Apple, the senior advisor told me that maybe my Facebook app is listening to me since "that's just the way the systems are set up". I was floored that an Apple employee (a senior rep, no less) would say such a thing. She didn't indicate how the app would have permission to do this if not granted it at the OS level. Regardless, I don't even have the FB app installed.
I'm now going to swap my SIM card into a different iPhone and see if the issue persists.