Report Phone Spam – Shut down robocallers and text spammers (reportphonespam.org)
Do you receive unsolicited phone calls or SMS/text spam? I made a free public service site explaining how to find the telecom carrier that is responsible for the spammer's (real) phone number and report the abuse to them – so the carrier can terminate their service.
It works, and it feels like magic.
Background: Earlier this year, I wrote an HN comment[1] explaining how to find the telecom carrier responsible for a robocall or SMS spam campaign. Those steps aren't documented anywhere else, even though they're actually pretty easy.
This info deserved to be much more visible, so now it is: https://reportphonespam.org/
As my site says, most reputable telecom carriers don't want unsolicited messages on their network or phone numbers. In order to disconnect their abusive customers, they need to hear about the abuse. That's where you come in. In a few minutes, you can report abuse to the responsible carrier, who will investigate and often shut off the spammer's phone number(s).
338 comments
[ 5.5 ms ] story [ 344 ms ] threadThese wholesale carriers know that recipients will flag unsolicited political messages as spam (to the recipient's wireless provider), and they don't want consumer wireless providers to block or heavily rate-limit messages from their phone numbers. The political campaigns cycle through phone numbers, so their unsolicited messages can "taint" many phone numbers - which will affect other customers' campaigns. The wholesale carrier's incentives aren't perfectly aligned with your incentives, but they're not totally different.
The 10DLC cartel wants to fine instances of unsolicited text messaging up to $20,000 per instance, hence why there is a big pushback against registering with this unsanctioned, not FCC mandated organization called The Carrier Registry (TCR).
TCR has been a nightmare to work with for those that do participate in their bureaucracy. You fill out pages of forms with everything from EINs/SSNs to the owners and co-owners of the firm and exact examples of what they plan to text, then 6 months or so later the TCR says "Oh, sucks to be you, we're invalidating all current registered companies, pay $50 to register again and fill out entirely different forms!
Also, T-Mobile is tacking on a new inactivity fee of $xx a month per business if your client doesn't message a T-Mobile number every few days :D"
Keep in mind that sometimes they can skirt the rules by not using automation per se. Instead, they have a bunch of volunteers sit in a room (or online) with special apps that distribute a phone number list (often from NGPVan or the Republican equivalent, forget what it's called) between the individual devices. Then each human has to click "send" or "call". It still gets routed through their VOIP systems, but because there's a human in the loop, it's no longer fully automated... just like 90%, enough to get around the FCC rules.
It's pretty sketch. I went to one of those volunteer parties before I realized that's what they're doing.
Thankfully Google Fi does a really good job at blocking this kind of spam, texts or calls.
So, you should still report it to the sending carrier.
Background: Most larger, reputable US-based wholesale carriers have policies that are similar to the CTIA's guidelines for political campaigns: https://www.ctia.org/news/political-text-messaging-engaging-... . CTIA sets a much higher threshold, including opt-in permission.
This is a bit like the FCC's definition of email spam (a very low bar - what's legal) vs. a mainstream email service provider's terms of use (a much higher bar - what they permit you to send through them).
The TCPA lawsuit business was so lucrative for years that a lot of effort goes into producing proof that the contact is legal. Rather than stopping spam calls these laws basically guarantee spam, but legal spam.
Also carriers have pretty well cracked illegal spam through their own analytics. Some still happens, but it’s cleaned up extremely fast.
At least in my case, this isn't true. When reporting SMS spam, I've often told the carrier to ask their customer for proof that I opted in (because I didn't). None have - again, because I didn't opt in to it or anything else.
I don't know how true your assertion is among the general population, but my experience may at least be representative of other HN readers. Many of us don't randomly give out our mobile numbers.
I always ask what my name is when an unknown caller calls, and 90% of the time it’s the old dead guy.
I did not opt in, yet here I am getting a few dozen calls per week at all hours of the day.
This is really expensive to do (the RND and Do Not Call lists are very expensive to query, the FCC needs to make these cheaply available) and automation for doing these queries is not offered by most phone providers.
It’s open enrollment for Medicare, and I can also assure you that not only do I not qualify for Medicare but I have also not opted in to incessant Medicare spam.
I also never opted in for political messaging.
I also never opted in for calls regarding Camp Lejune injuries.
I also never opted in for calls about automobile accident injuries.
I also never opted in to be contacted for final expense insurance.
Shall I go on? Carriers most certainly have not “cracked” illegal spam through analytics. My carrier stops about 20-50% of the spam I receive.
The TCPA is great to cut down on the onshore businesses using illegal telemarketing to promote their business, but does nothing for the offshore scams. I’ve used TCPA in the past and helped carriers identify and sue telemarketers so I am very familiar with it.
For anyone else reading, this service is called "10 Digit Long Code" AKA 10DLC. Many business-oriented VoIP providers eventually use a vendor like Syniverse or Sinch for the outbound SMSes. Those wholesale carriers usually either strongly encourage their customers to require verification of sending numbers, or outright require it in the contract. This appears in the wholesale carriers' guidance to their customers, like https://syniverse-web.s3.amazonaws.com/10DLC-Carrier-Pricing... and https://www.sinch.com/sites/default/files/file/2023-03/Intel.... From your experience, it's clear that there are exceptions.
I used to be able to SMS enable my T-Mobile numbers offnet, but every 30 days TMobile would take this back.
10DLC is being strongly pushed by some carriers, while others are still permitting conversational traffic (for every one message that goes in, one should come back, with a 10% margin in either direction) to go over P2P rails.
With The Carrier Registry invalidating all registered organizations and campaigns every few months, triggering everyone to fill out a ton of paperwork, pay $50 or more to re-validate every business, and also the recent sudden devalidation of every sole proprietor 10DLC registration, I don't blame those who don't want to participate in this unsanctioned cartel formed by the big three wireless carriers.
Would be great if you can also include some examples for Europe.
Of couse, i would be up to do some digging if you need help.
One of the carrier lookup APIs that the site recommends, Twilio's "Line Type Intelligence" API, may support numbers in other countries. That might be a place to start: https://reportphonespam.org/#How-do-I-look-up-more-numbers
No need to note; the topic is telephone and SMS. Everyone is probably familiar with spam mail and unsubscribing from it.
Email is still manageable and less personally invasive than someone calling you or sending a message at random.
https://docs.google.com/spreadsheets/d/e/2PACX-1vSdZyRvDd0ES...
this is the log of email spam I am getting since about few years now. The sheet doesn't list any email link, but each one of that link is unique, the soam machine sends me 10x spam if I accidentally click it.
Even as of last year caller ID accuracy was bad.
Stir shaken doesn't prevent spoofing but it lets terminating carriers validate that the number is legit before sending the call to their customer.
My old team implemented stir shaken for one of the large voip carriers.
So IDK. It seems to be a problem, I just don’t have enough of a life for it to be for me.
You don't even have any submissions, yet.
As one who'd also like to see the ability to fully delete your HN account for privacy reasons I still think summarizing the alternative reasons as only aesthetics sells the counterarguments a bit short...
... but overall I'm getting myself and the whole conversation extremely off topic here. Probably best to discuss this in a thread about privacy on HN instead of one on robocallers.
OTOH it seems if you ever answer these even once you're no longer a random number to try you're immediately marked as a real person who can be tricked into answering at least some calls and will never hear the end of the endless ringing.
If you're deliberately making yourself hard to contact this way, a lot of people will just stop calling you.
If you mean for people you have relations with (friends/family/coworkers) most here gave up memorizing numbers a long time ago and none of those would show as an unknown number. This is common enough here in the US that the iPhone has a built in feature to only ring for known contacts and for unknowns only notify voicemails.
(Geo context: Poland, EU)
I would say I am pretty privacy conscious (when possible), so this may not be the average person's experience.
This strategy works fine in my experience. Most important calls I get are from people already in my address book. If I'm in a job hunting phase, I'll answer calls from numbers I don't recognize during time frames when I am expecting them (e.g. the policy is relaxed for the duration of a job hunt). But, outside of that, it's hard to imagine a call from someone I don't know that is so important I can't let it go to voicemail, but so unimportant that the caller will deign not to leave a voicemail to let me know this is really important.
Though with people of my age "cold calling" isn't all that common, typically you text the person first to make sure they are available and keen on a call. Unless it's an emergency of some sort, of course.
> Instead, report the phone number that the call instructs you to contact.
Under the above scenario most callers aren't dumb enough to leave a message, and I'd be concerned that actually engaging with anybody would increase the number of calls, at least in the short term.
If you're a staffer running the honeypot lines at the FCC, it would be fine because you can go home at the end of the day, but for a personal number I would need convincing. Would love to hear testimonials from anyone who tried this technique and their interpretation of the results.
I hung up, mad at myself for falling for it, and at them for being so ballsy. Then they texted (it came through as an iMessage so I’m assuming it’s their real number) and they said “not sure what happened but we got cut off!”
It also means that if I pick up calls from numbers originating in <current locale area codes>, it usually IS somebody I need to speak with. No hassle filter to help answer the right calls and ignore the spam.
Couldn't imagine taking the steps in this post to try and block a number that's probably already been replaced with a new one by the time it takes for anything to be done.
I have two children. Doesnt happen often, but I've received calls from my kids' school. Twice the kids got hurt on the playground and needed to be picked up. The call can from a random number from someone at the school, not the main number.
I have also received calls from pharmacies about order verification for much needed prescriptions. And received calls from doctors' offices about last minute re-scheduling.
Not answering voice calls seems like a solution that works 99% of the time and drastically fails 1%
I’d say at this point let the system fail if they don’t have email or whatsapp or something else they can use to reach you.
A small challenge is that the high-quality carrier lookup APIs charge a fee for each query. The fee is tiny (like 1/10th of a cent per number), but enough to add up.
If anyone is interesting in discussing this, my email address is in my HN profile.
I'd suggest it will depend on goals / scale - if not many are using, probably would be ignored even if bad actors were aware of it. If it started to have real effects, there'd undoubtedly be very intentional efforts to attack it. Beyond just the sporadic script kiddiez / for the lulz set ...
Edit: sorry, "app" - to potentially use the app in some malicious way ... Not sure my comment is so useful, but, I'll leave it since it's unfortunately all too easy to end up with unintended consequences. Though, I favor fighting this garbage wholesale and support any efforts to interfere with the deluge of BS / noise with modern communications tech.
I'd propose that absent specific legal processes contact occurs at the consent and discretion of the contacted. That's one of a number of principles I've been kicking around under the notion of "Communications Autonomy"[1]. There is no fundamental right to attention. As such, any communications system which doesn't provide the ability to manage contact attempts and communications is in violation of those principles, and more concretely, as the annoyance and/or risk factors outweigh advantages and benefits, people and organisations will defect from those systems in droves.
The telecoms industry has been openly expressing concern that trust in the phone network will be lost. And by "phone network" I'm speaking broadly: POTS (plain old telephone service) and PSTN (public switched telephone networks), or any universal direct-access communications system.[2] I think we're seeing that breakdown. A key problem is that there isn't any single successor system that appears ready to step in, and most of the more likely proposed systems entail substantial concerns themselves over monopoly power and abuse, surveillance (state, capitalist, or other-actor varieties), etc.
I've got a few specific suggestions which I'm planning to make in a top-level comment to this thread.
________________________________
Notes:
1. See: <https://toot.cat/@dredmorbius/108579251632091173>, <https://toot.cat/@dredmorbius/107742445268072257>, and <https://diaspora.glasswings.com/posts/622677903778013902fd00...>
2. Phone, email, SMS, social networking, postal mail, etc.
If the web didn't have HTTPS, it would be illegal to conduct sensitive business over it. Yet we're stuck with this entrenched telephone system, the best we can do is STIR/SHAKEN, and that's not real security.
Unfortunately the school's systems were down and so they weren't able to call me from the school's regular phone system. They called from random personal cell phones, so that went straight to voicemail. It wasn't until someone was literally sent to my house to bang on my door that I got notification of my child's medical emergency. They were about to administer medication that would NOT have been okay to give him, and I was lucky to be able to contact them and tell them to hold off before they did it.
Never mind reporting them to a phone provider. If something had happened to my son I swear to God I would have gone full Liam Neeson "what I do have are a very particular set of skills" on the jackass who's running that specific phone spam operation.
I mean, unless you just don't want to be in meetings. Which is okay.
It's how our brains operate, and the fact that the spam keeps on coming just reinforces it. If the call is legitimate and time sensitive, you hope they'll leave a voicemail or, better yet, follow up with a text message.
I tell people that caller-ID should be trusted as much as the return address on an envelope. Perhaps I can soon update my guidance now that STIR/SHAKEN is (apparently) near full rollout.
Yeah, I may miss these occasionally, but I see them almost immediately if they leave a voicemail — and they should, if it’s important — and then call them back, and apologize for the missed call, which they always empathize with.
I lose at most a minute or two, which is totally acceptable.
If you want me to pick up, send an sms explaining what it's about.
I rarely leave voicemails, but I will when it's urgent.
tl;dr: leave message+number, how you do so is up to you
The proper procedure is for the nurse to leave a voicemail with their school-provided contact number (either the school office or a way to dial them directly that isn't their personal number).
Once you add a “free call” entity on the other side (like Google Voice) then no one is charged to make the call.
Additionally, plenty of people “sell” their real number and there are android apps routing internet call through the victim’s real number. In this case, even if the person is charged, it’s not necessarily the spammer.
I doubt 99%+ of end users in the US have been charged for non international minutes or non international text in the last decade or even 15 years.
Source? According to this timeline[1], e-commerence with credit cards predate SSL. Therefore I'm not really convinced that there's some law against it, except for laws that were introduced after SSL was a thing.
[1] https://en.wikipedia.org/wiki/E-commerce#Timeline
I really hate this attitude that every little danger has to be regulated.
You could probably get sued for negligence if you process card details over an unencrypted connection, but that's nothing compared to the damage your business will take if the card companies decide that you're on the naughty list.
If you want a slightly more expensive but simple and reliable number on Android, I highly recommend jump.chat.
What? This is just a video chatting service like zoom...?
Why not have a system where a small amount of money is put in escrow when a call is placed? If the person who answered the call is displeased by it, they can punch in a command at the keypad after the call to claim the money.
Because phone operators make money on all those robocalls, and have so far decided they'll make more money allowing it, than trying to obstruct it.
And, I mean, what are you going to do? Change your phone operator? They're all the same. Switch to using WhatsApp/Signal/etc. for calls? Sure, but you're still paying some telco for the mobile data plan.
That's the problem: all the actors with leverage here are happily making money on the scheme; regular customers... have no leverage.
We need to stop trying to get end users to deploy ad-hoc solutions to the problem and update our phone systems to be resilient to these attacks.
I have been thinking that we should make an app to automate the reporting process.
A fun detail is that the government sells the lists of people that do not want to get contacted.
Also, lately, I have been getting many calls that are supposedly coming from the UK.
Obviously does nothing to stop the phishing calls from overseas (typically compromised) voip services that overstamp local numbers.
Additionally the register has carveouts for calls such as charities, political groups, and research calls (polling).
> Also, lately, I have been getting many calls that are supposedly coming from the UK.
Anecdotally, I have been getting the ocassional spam texts from the UK, but all from numbers registered with O2. It's pretty useless to associate any origin and come to conclusions without a large amount of data. (That and the use of CLI overstamping means that it could be from anywhere)
I commend the effort, but getting a human to answer a support hotline call in order to report a spammer number is so comically difficult and ineffective that I can't see a significant amount of people participating. Why doesn't my carrier have an automated system allowing them to communicate with the originating carrier, triggered by the "report spam" button in my telephone OS?
I just don't have sympathy though - ideally people would DoS all the telco and local government lines until the issue is fixed. It's just stupid how many years this exists without obvious solutions.
I suppose that would be like spamming the carriers. Not sure that's better, but it might make them act.
Also, the more spammers reported the less to bill for the calls. As less spam calls.
https://www.ofcom.org.uk/phones-telecoms-and-internet/advice...
(also, this works in the US too)
The problem is that it's nearly impossible to enforce this. Would be curious to know if Norway has had any better luck.
Obviously if scammers are willing to commit serious fraud that will definitely result in prison if caught, they're probably not too worried about that. Along with scams, silent calls also fall under Ofcom's jurisdiction: https://www.ofcom.org.uk/complaints/complain-about-phones-or...
Companies do occasionally get fined.
I have had a couple of calls from outside the country but I generally just don't answer unrecognized numbers from outside the countries that I have a connection with.
I called them and told them and they said “oh yeah that happens all the time don’t pick up when we call”
That’s when I realized we’ll never win. The spammers have won.
It's tough, but it's not helpful that people don't know the face of the enemy. The fight isn't with just some stereotypical "spammers". Advertisers and marketing departments are spammers, and they've destroyed phone as a medium, much like they did it to physical mail, radio, broadcast TV, cable TV, and now streaming and the Web in general. We won't make progress until we realize that most spammers are operating 100% legally, and phone networks both participate in it and make money from it.
Yeah what everyone else does is creepy af, and _should be illegal_, but that's not the facts on the ground today.
Those cracks need to be sealed, but there's enough creepy af industry lobbying that it won't happen because money.
There's money in them thar retirement villages.
Google's panopticon started this desperate grab for personal contact information (see recent discussions here on HN around Smart TVs as another one of the outgrowths of this) in it's ability to turn it into advertising profit on a previously unprecedented scale.
This is separate to telecomms companies seeming lack of ability to control or monitor what's on their networks. Which is also a regulation / enforcement problem. However, there are functions that are 'allowed' on telecomms networks to facilitate 'business' (eg. overseas companies being able to spoof local numbers so that people actually answer their calls), such that this 'feature' is then exploited by scammers - when, arguably, the whole 'feature' is a scam in the first place.
https://www.abc.net.au/news/2018-05-03/mobiles-and-landlines...
(I'm sure I read an article somewhere that described the ability to spoof local numbers as a business decision to allow overseas marketers to sell their wares locally without fear of their calls not being answered. Trying to find it. I may be mistaken.)
Edit: services such as virtual phone numbers, such as these:
https://callhippo.com/blog/country/virtual-phone-number-prov...
https://www.numeroesim.com/how-to-get-an-australian-phone-nu...
https://virtual-local-numbers.com/countries/65-australia.htm...
This is likely coming from the purely 'if it can be abused it shouldn't exist' bias, which may mean I've taken a step closer to becoming an old luddite, but it feels as if, if this is possible, then the entire infrastructure can't be trusted any more - and people consciously choosing to just not answer their phones for any unrecognised number feels like confirmation of this stance.
These guys are just doing what the ad guys are doing but it’s for fraud.
The fraud is only half of it.
Phone spam is much more harmful than ads you kinda-sorta opt into, IMO.
Cable is not full of ads that say they are from AT&T and you need to contact them about your bill at <number> but the ad isn't from AT&T and the number goes to a scam call center.
I bet if you tallied it up, there's many more people being tricked into taking on bullshit contracts with legitimate companies[0] and losing much more money in total, than there are victims of actual impersonation scams. I firmly believe both schemes are morally equivalent, and that one of them is still considered legal only means we should push firmly for a change in laws.
Even the impersonation angle isn't clear-cut. When a telco calls me with their newest scam, it's always via a third-party call centre they outsource this job to. Where I live, it's also historically has been a major source of contact and personal information for scammers - always a "disgruntled employee" leaving and "covertly" taking the customer database with them.
--
[0] - Telcos are my go-to examples here, they're notorious for borderline fraud. For example, just under a year ago, a billion-dollar telecommunications corporation named after a color, one of three major telcos in my country, tried to scam my own grandmother hard, after my grandfather passed away, and almost succeeded. More generally, after many years of near-misses and one or two mistakes, most people in my family learned to never talk to phone companies cold-calling with offers.
Most of the spam texts I get lately are from non-US numbers claiming to be USPS trying to resolve a delivery exception.
That’s impersonation.
I know they are spoofing numbers because my own numbers gets spoofed as well. Real people call me back and leave voicemails saying I’m the one who called them.
None of this is standard advertising.
When you get a call from Verizon's number, they know the actual originator of the call (or perhaps they know it up to some known-to-be-not-so-trustworthy-source). They know that the number is not Verizon's phone number.
But the phone company chooses to blindly display the spoofed caller ID. Note that T-Mobile will block their equivalent of these calls (not that T-Mobile isn't to be blamed for other things, such as sending their own spam texts).
So it is Verizon's choice to lie to you on behalf of these scammers, and the FCC allows them to do it.
Anyone outside my contact list can leave a voicemail.
Setup honey pot number. Route all phone numbers to be answered by ChatGPT. Use ChatGPT to extract phone number. Use twilio api to lookup phone number. Route report to appropriate carrier(s)
hilarious to assume that would exist, it is very manual. if any carrier attempted to automate it, it would be used offensively for fraud as well
I tried the method spelled out here for my latest batch of "Your USPS package has arrived" texts, but the phone numbers (example: +63 936 631 6676) just give an "invalid number" response. Not unexpected.
Every official channel seems to be failing us on this one. Spam calls still exist, spam texts still exist, and even fake government websites still exist. I don't understand why a .com site like https ://usps.com-helpnk.com/ is still up.
there's some impressive anti-scammer youtube content, and it seems to be a growing trend, maybe this is just capitalism doing what it does best? advertisers putting money in front of combative interventions.
https://www.youtube.com/watch?v=dWzz3NeDz3E
https://www.youtube.com/watch?v=jUHFpfVPUYc
Is it conceivable that they don't have control of who is using their network, and how they're using it?
It's not like they've just landed on the planet with this big telecoms network to manage. They created them, they set the rules, they own the gates.
It's purely profit driven, no question.
In the exact same way that Google and Meta claim to not be able to police advertising on their own fucking networks.
Features are being added, which enable phone number spoofing and other shenanigans, at some point deep in the network, such that common carriers, at the tips of the network, have no control over.
Thus creating a scammers/spammers paradise.
I'm not so sure about this. No one (except for, obviously, spammers) benefits from email spam, every mailhost and network admin is most certainly interested in stopping it (to some extent), and yet my mailbox can prove that spam is still very much alive.
Solving spam problems in a highly distributed large federation of networks is not simple.
However, I think there are less telecoms than LIRs and mail systems out there, and they typically have better control over who their clients are (less hacking, though I could be wrong), and there's not enough pressure on them (spammy mailhost's gonna get banned by every RDNSBL real quick, telcos - I don't know, but I guess not so much?), so I can certainly agree that telecoms have issues with their incentives. I could be wrong about this, though - I don't really know much about the telephone industry.
They should threaten to drop outgoing calls too. That’d eliminate all the useless offshore call centers.
You can't exactly just climb up a telephone pole and tap off a few phone numbers for yourself. You have to explicitly enter into a contract with a service provider to use their infrastructure.
Spammers and scammers are wasting infrastructure resources that the telcos could be allocating to users. The telco can just cut your access off if you abuse it.
If I spin up an email server, no one entity can stop me sending email to anyone else. Gmail or Outlook or other services can block me individually, but there is no centralized network and no central authority that can refuse my connection. [0]
I suspect that telcos don't want to do anything about abuse because it's a very large fraction of their total traffic. The artificially higher utilization of the network gives them more justification for their prices or gives them some sort of good boy points for having x number of users. I don't really know how any of that works, just a wild guess.
[0] There are centralized blacklists and other ways to communicate that a sender should be widely blocked, but that's not the same as a telco refusing to physically connect you
Sounds like you’ve never used Twilio before - or any other API-based SMS system
They can easily disable your account should you break the TOS (or for any reason really)
Not quite the same as hosting an email server somewhere
Your ISP/host can refuse service (assuming somebody convinces them to take that step). That doesn't mean you can't find another, but they are your connection to the Internet.
Exactly. And proper providers make legitimate users jump through so many hoops. E.g. with Twilio I can't even send text messages to US long codes (regular numbers) anymore without assigning "campaigns" and giving sample text messages... All I wanted is that my users can pick a phone number and use SMS as an interface to send commands and queries. They (US government and Twilio) don't even let me do that in order to "fight spam".
> I suspect that telcos don't want to do anything about abuse because it's a very large fraction of their total traffic.
Same here. They keep adding process and restrictions on legitimate users to prove that they're working on it, but I don't think they really want to.
Sure, there are probably fishy international service providers that house legitimate AND spam traffic and are hard to block. But phone networks are much more centralized than email and should have better abilities to fight spam if they really wanted to (but instead keep profiting from it)
Sorry, but I disagree. You can't just open a utility cabinet and establish TCP connections with random mail servers either. You have to explicitly enter a contract with a service provider to connect to Internet too.
And every mail system out there uses a bunch of precautions, like SPF, DMARC and of course it refers to some DNSBLs. I just cannot imagine any operational Internet-facing general-purpose SMTP system that doesn't.
Most ISPs out there outright filter out any tcp/25 traffic for their customers, residental or hosted. Typically (in case of server hosting) or less typically (in case of residental network access) this block can be lifted by going through some sort of pinky-swear "won't spam" KYC, but if you abuse it, you'll get booted off the platform real fast. And if it's too weak, the provider will very soon find themselves and their customers unable to send anything.
Because if a LIR doesn't respond to spam reports from their system, RDNSBL bans will very rapidly grow from just a single IP to progressively larger and larger subnet and then the whole AS. And getting out of a DNSBL isn't exactly fun. So network operators really hate email spam - it brings them nothing but headaches.
And that's why virtually all spam today comes from infected or hacked machines, and not some malicious people running a spam server.
I don't know where telephony spam comes from - as I've said I don't have much experience with this side of telecom, but I wouldn't be surprised if a vast majority of it would be from hacked/unsecured VoIP systems. I believe unscrupulous phone companies may be able to pull something, selling access to spammers, but that's probably once-or-twice-in-lifetime thing, because they won't be able to BS that they were hacked or something after a few incidents. (I highly doubt phone companies don't have a culture of blocking abusive peers. Internet operators surely do.)
Sure, my provider could ban me if they cared enough, but it's pretty much trivial to set up a new one.
And as you said, some of the email spammers use botnets. Which is yet another order of magnitude removed from the hassle of getting a telco to hook you up on the sort of scale we're talking about.
And sure, we have all sorts of institutional protections and blacklists to prevent spam, and yet we all still get flooded with spam. The only effective way out so far has been server-side spam filtering, which cannot be implemented in the phone network as long as caller ID spoofing is still allowed.
Call and text spam come through the same channels as any legitimate business. These people have the same kinds of commercial contracts as any business, and as far as the telco is concerned, their traffic is completely normal and legitimate.
That's the problem we're discussing: the telcos are not enforcing the anti-spam laws. They seem perfectly content to let these bad actors operate on their network. There is no subterfuge, no hacking, no foul play of any kind to get their traffic onto the network. The telcos simply let it happen.
The telcos also explicitly allow anyone to spoof caller ID so that the receiving customer can never know the true number they're being called from. The customer can never block the spammer because they just generate a new number each time.
Email spam and phone spam are not the same problem at all. Not even close. Email spam is simply people abusing the technology in spite of everyone's best-effort attempts to stop it.
Phone spam is institutionalized. The telcos have made a deliberate decision to allow this, and not offer any way for customers to protect themselves. Again, despite laws existing which should force them to stop the abusive traffic.
I agree and disagree with this statement:
1. The distributed system can't solve the spam problem, because it's not a technical problem.
2. The population can immediately solve the spam problem by responding in the affirmative to every single request they get.
What makes spam profitable is the quality of the responses - right now only the marks respond, so every response is valuable to the spammer as it is a lead that will almost certainly result in money.
If the spammer sends out 3m SMS/robocall messages, and gets 5 responses, those responses are worth actual money!
OTOH, if the spammer sent out 3m SMS/robocall messages, and got 3m responses (of which only 5 are worth money), then the spam would quickly stop.
IOW, by self-selecting into one of two groups (will give you money/won't give you money) we are making spam profitable.
This is the only way to stop spam of any kind - poison the database.
It involves never blocking any SMS/robocall: for SMS always reply in the affirmative (i.e. you want an agent to phone you), for robocalls, keep the call active for as long as you can, and reply in the affirmative for future contact.
You do that, knowing full-well that you aren't going to be buying anything.
If even half the population did that, spam SMS and robocalls would become too expensive to do anymore.
- How do you feel about the telcoms reading/filtering your texts?
- Where do you feel these controls would be most appropriately applied? Sender or recipient or both?
- How would you define SMS spam for filtering? Should the messages be manually reviewed or automatically filtered based on volume/content?
- Should recipient telcoms filter potentially malicious or spammy voice calls?
Eg: https://www.reddit.com/r/tmobile/comments/17aqv1z/tmobile_li...
Some of the companies are quite spammy. It’s frustrating as blocking the number risks blocking real ‘you have an appointment at xxx’ type messages.
They care, but in the way most people care about not being fat. They still can’t make the necessary lifestyle changes to do anything about it even if it is their most ardent wish.
Because it's a political problem, not an engineering or business problem.
In order to prevent monopolies, we have very strict requirements about carrying all calls that enter the network. Otherwise, phone companies would randomly block each other as part of anti-competitive tactics to push each other out of business.
The telephone spammers take advantage of these laws, because it is very difficult to legally block a spam call. Your phone provider must carry all phone calls without any prejudice!
(So I'm about to get very close to the line about hacker news's "no politics" guideline. Please consider that spammers "hack the law" and "hack politics" before you flag me. Instead, I would appreciate it if you take a minute or two to fact check my opinion disguised as fact.)
The primary way out of this is by a legal change, not by an engineering change or culture change: We must update our laws so that it is very difficult to make and carry spam calls on the telephone network.
I personally believe that one way to do this is to require that all phone calls provide rich metadata to the phone that is ringing. I really should know who is calling me, and the phone company that originates that call should be responsible for verifying it. I would even consider a requirement that makes it trivial, or automatic, to "lift the corporate veil" on who owns the company that is calling me. Otherwise there should be strict penalties for a phone network that allows originating calls with phony or spoofed metadata.
(I also don't think anyone has a right to make a 100% anonymous phone call. I think we can figure out how to allow people who need to make anonymous phone calls to make them, without exposing the entire phone network to SPAM.)
Ultimately, every phone call that enters the phone network needs to have a strict and auditable chain of liability.
In reality, if our laws included a requirement for strict metadata, and then a requirement to make an "abusive phone call" button really obvious, we could figure this out pretty quickly: at this point it becomes a simple reputation system.
Finally, we need laws that prohibit co-opting the phone network for marketing. We may want to start with prohibiting unsolicited commercial and political calls. We need to make sure that there are no loopholes, where the company you bought something from 2 years ago is still free to call you as if you have an ongoing relationship. We need to recognize that pulling out one's phone and looking at who is calling is really a significant burden to us, and that our government should protect us from companies and politicians who think that they have the right to interrupt our day at any moment to listen to a sales pitch.
If you really care and want to put time into this, advocate politically. (And remember that hacker news is not supposed to be political.) Don't waste your time reading instructions about how to report spam.
Notably they can't use autodialers without having prior consent from you.
Where political comments are problematic is generally where they run up against other guidelines, notably:
Eschew flamebait. Avoid generic tangents. Omit internet tropes.
The other red line is accounts that principally push political viewpoints.
A fair bit of political discussion tends toward each of these. Avoid those rails, however, and you're good.
Dang's posted often on what does and doesn't work with political discussion, see: <https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...>
I'd specifically point at: <https://news.ycombinator.com/item?id=34481375>
Where a problem, such as robocalls / spam phone calls, really is fundamentally one of politics and policy, discussing those political and policy elements is entirely appropriate.
They care, but not enough to spend what is required to address it.
I’ve never really had any issues at all with SMS spam in the UK and Europe - but I’m currently in Thailand where it’s awful! When you buy a new SIM card at the airport, the spamming starts within an hour or so. I count 18 sent yesterday alone, once every hour or so during the day.
I believe it is actually the carrier (true.th) sending them as they all follow a similar format and seem to arrive with a somewhat predictable regularity.
They even have an automated number (*137) you can call and supposedly turn off spam, but it doesn’t work: “System will cancel spam SMS within 24 hour. Thank you for using!”. Yeah right.
Only solution on iOS seems to be to disable notifications for SMS from unknown senders in System Settings. Then, at least, they only annoy you when you actually look at the messages app.
Try reporting it directly to the US Postal Inspector. From: https://www.uspis.gov/news/scam-article/smishing-package-tra...
> Have you received unsolicited mobile text messages with an unfamiliar or strange web link that indicates a USPS delivery requires a response from you? If you never signed up for a USPS tracking request for a specific package, then don’t click the link! This type of text message is a scam called smishing.
> To report USPS related smishing, send an email to spam@uspis.gov.
> Without clicking on the web link, copy the body of the suspicious text message and paste into a new email.*
> Provide your name in the email, and also attach a screenshot of the text message showing the phone number of the sender and the date sent.*
> Include any relevant details in your email, for example: if you clicked the link, if you lost money, if you provided any personal information, or if you experienced any impacts to your credit or person.
> The Postal Inspection Service will contact you if more information is needed.
> Forward the smishing/text message to 7726 (this will assist with reporting the scam phone number).
It’s unlikely to work for phone numbers outside the US. Sorry :( For typical 10-digit US numbers, the carrier search sites work well, as does Twilio’s carrier lookup API.
I read the rest of the FAQ, signed up for Twilio, and their API worked to identify the number.
In the US, the calls and texts are a plague. If you've had a phone number for a few years you're probably getting multiple texts and calls a day, even if you are on the Do Not Call registry, from advertisers of every type and scammers alike. Lots of people have apps for blocking spam and they still get through.
In the Netherlands I'm also on a do not call registry, and I get nearly zero spam calls or texts. There is the occasional scammer SMS, and I get a spam call maybe once every 2-3 months, usually for nonprofit fundraising.
In developing countries you're spammed by both the telco and third party advertisers within minutes of activating a prepaid SIM card. The telco is almost certainly delivering the advertisements.
My guess is that the penalties and enforcement behind violating do-not-call registry in the Netherlands (EU?) are just much stronger than in the US. It still does not explain the lack of low-quality spam / scam messages from people who are unlikely to be dissuaded by regulation.
The only thing I can think of is that there is better authentication for accessing the Dutch telephone network (and better incentives for the telcos) which allow the providers to prevent or shut down spam numbers quickly.
The latter would imply that spammers are 'wardialing' phone numbers but that seems really unlikely to me as it would be incredibly easy for telcos to detect and prevent.
As far as oversimplifying political hypotheses go, this is a stupid one. Multinational corporations have fragmented power structures. They're broadly owned, publicly audited and subject to coups through market-based means.
If you want a secret cabal, America's emerging aristocracy is at least concentrated, opaque and difficult to dislodge.
Unfortunately most of the culprits nowadays are overseas scammers, in which case it’s no help. I would agree in that case- the only way to stop these folks is through the carriers themselves and they don’t seem too keen on doing anything.
Yes, it takes time and skill, but then again, between the TCPA and state statutes you could potentially recover close to $6000 per call. Now when you negotiate a settlement you may not actually see that much, but you are definitely getting the attention of the offenders, and just the process of responding to your complaint (lawyer time) will take another few thousand dollars out of the pockets of these cretin.
It's just a pity that we all need to pay these companies for one fairly crucial thing, but it enables these undesirable things.
It's somewhat surprising that the rules or enforcement are so lax, given that everyone, including politicians, have elderly relatives that are susceptible to this BS. (but then, maybe the politicians ARE the elderly relatives, and therefore they don't see the problem).
They never reveal a phone number and Caller ID is spoofed.