Hacker News new | past | comments | ask | show | jobs | submit login
FCC closes telemarketing loophole used by scammers (consumeraffairs.com)
148 points by cloud_thrasher 70 days ago | hide | past | web | favorite | 118 comments

This is nice and perhaps actually useful for going after international organized criminals...but still doesn't prevent anything. We need actual authentication for Caller ID. Urgently.

Fake voices are already being used to steal millions (https://www.bbc.com/news/technology-48908736). I co-authored the paper linked here, which goes into some detail about why this all matters, particularly for voice cloning... https://medium.com/@aviv/reducing-malicious-use-of-synthetic...

Hm, I almost feel like it's the spam problem all over again where the appropriate fixes involve tradeoffs that many (not me though) find unacceptable, and we need to adapt the famous spam solution forum letter:


(I just came up with a version for robocalls but I don't want to post it here because it's a giant wall of text that I don't think pays for itself in terms of contribution to the discussion.)

Pastebin it.

It’s about time. Now if the FCC would get off it’s chair and implement a technical solution to mandate Caller verification...

It’s incredible in a world were we’re all being forced to move to RealIDs so our every move can be tracked, that criminals can continue to scam the elderly and disabled anonymously by phone.

We just need a way to hold carriers accountable. Once they start having to pay fines for unsolicited calls on their network, they find ways to fix the caller id issue pretty quickly.

I would argue that the legality of this doesn't matter; there's a huge technical problem in that there's no authenticity guarantees at all when it comes to caller ID and the entire feature is badly designed and has always been open to abuse.

SHAKEN/STIR is the (technical) answer to this, though I'll be interested to see to what extent it's adopted.

> I would argue that the legality of this doesn't matter; there's a huge technical problem in that there's no authenticity guarantees at all when it comes to caller ID and the entire feature is badly designed and has always been open to abuse.

There is, at least for foreign calls: assuming US provider A gets an incoming call from the country B's operator C, then A has to verify if the phone number supplied by C is in the country phone number range of country B. If there's a mis-match, deny the connection.

It's not that easy. You can get a call from X with a prefix from B and it's just how routing sometimes works. In the same way an internet connection from Germany to the UK may actually arrive from an interconnect in Amsterdam. But it doesn't matter. What matters is the responsibility of each party to point out who sent the call to them.

(And that's not even mentioning the issue of how you'd map providers to prefixes. It's somewhere between non-trivial and impossible in practice.)

It should really be more like how the internet works with IP addresses.

Its easy to send an IP packet with a source address that is whatever you want, but if you do that the receiver is going to reply to someone else and you won't be able to establish two way communication.

Ideally the ISP does basic ingress policing and doesn't accept packets from source addresses outside its range.

Yes, I know most ISPs don't do this. But they could if they wanted to.

It seems that phone companies won't do anything about it. Nor the FCC

There's a bunch of solutions. I received 19 spam calls spoofing cell numbers. That's a felony

I suggest everyone that get an illeagl robo call to call your rep Everytime. Ask them to block India entirely. The problem would be solved very quickly. Or block all calls from Florida and Texas. The nuclear option

The basic one is just waste their time. Ask a lot of questions. And then tell them you were doing that

I started doing that once. After 2 or 3 of those time wasting calls, I got one that the person said "Thank you for playing <my phone number>, you will continue to receive calls" and they hung up.

IOW: They have so many resources available, and it is so cheap for them to make the calls, that even after they knew I was going to waste their time, they continued the calls.

This was after I had tried their options for "press 1 to be removed" and talking to someone and saying "please remove me from your list".

The thing they may not have been anticipating: I had 3 numbers forwarding to my cell phone. Up until this call I didn't know which of them was on their list. I cancelled that phone number, and the calls dropped to almost 0.

and talking to someone and saying "please remove me from your list".

This could very well be an urban legend, and I know that most telemarketers are untrustworthy anyway, but I've heard somewhere that you actually have to explicitly say "put me on your do-not-call list" because the phrase "remove me from your list" allows them to interpret it a request to remove you from the do-not-call list.

Like I said, probably an urban legend.

It's one of those technical things that makes sense when it's said, but doesn't really hold any merit. Here is what the law requires.

> If a person or entity making a call for telemarketing purposes (or on whose behalf such a call is made) receives a request from a residential telephone subscriber not to receive calls from that person or entity...

This is from 47 C.F.R. § 64.1200(d). If someone says "please remove me from your list," I believe any reasonable individual should understand that as a request to stop calling.

If they get a request to stop calling, a telemarketer must immediately record the number to the company's do-not-call list and comply with the subscriber's request in a reasonable period of time not exceeding 30 days, and the telemarketer must honor the request for 5 years.

If you want to get technical about it, it doesn't even say the request must be made on a phone call. Presumably, one could make a written request. Perhaps someone could even offer as a public service a way to preemptively send copies of form letters to the addresses of known telemarketers requesting no calls. Someone like the postal service.

Don't bother asking to be removed. Give them bullshit info and waste their time.

Considering they are committing a felony by simply making the phone call. It's a felony to spoof phone numbers. Everyone from the top down should be facing 20 years

I've taken to pressing one and just shouting at max volume "LAAAAAAAAAAAAA" into the phone until they disconnect. Seems to work; they tend to taper off fairly rapidly.

No one wants the hearing damage, I suspect.

I do the same thing for Mandarin calls.

I need a Mandarin sound board to keep them on the line since I don’t know any more than “Nihao”.

Hah, Google already showed off their "book a hair appointment and have a human-sounding robot call the salon for you", what the callees need is a robot that either try to figure out if it's the real IRS calling (although, wait, the IRS sends letters) or an Indian scammer. If it's the latter, then run the "tie them up unnecessarily" script.

Until the scammers figure this out and respond with their own bot. Then, just like Twitter, it'll be bots spamming each other..

Half of this exists: in Android you hit "Screen Call" and the google bot picks up for you. It says something like "this user is screening your call, please state your name and the reason you're calling" and their response gets transcribed live onto your screen. From there you can either pick up the call or hang up + spam mark it.

It's honestly pretty great, I use it all the time.

It is really great and I use it 50 percent of the time. But I fuck with them the other 50 percent. The more I waste their time the less money they make. Ive started calling my reps Everytime I get a call. I am reporting multiple crines

This is supposed to be a forum for civil discourse. As someone who lives in Texas but has friends and family all over the country, I don't find banning all my calls from crossing state lines to be a very civil suggestion. How about all the calls that spoof Illinois numbers that call my Illinois-numbered cell phone? How is keeping me from calling my mother going to stop that?

Fuck your ban.

Easily. It's the nuclear option. The state of Texas will make arrests for the illegal Industry they allow. It will force action. One day later you can call your mother

And please don't give me a lecture about civil discourse. I clearly stated my opinion

If I am banned. Fuck my ban as you clearly stated

The reason people are reacting badly to this is that your suggestion amounts to collective punishment, which is widely recognized as a human rights concern. Your suggestion is uncivilized. We've got a right to critique it. If you feel "lectured," that's your problem.

You clearly stated your opinion that people in Texas should not be allowed to call people in other states. That's what you clearly stated.

Yes I did. What point we're you attempting to make.

My point is why are you trying to punish 25 million Texans and 18 million Floridians for a bunch of people in India using VOIP to make calls appear as if they're from all over the US? How is that effective or ethical?

Wouldn't it make more sense to punish the phone companies letting them do this? Is this just prejudicial hatred on your part against a couple of states you don't like for some reason?

The solution doesn't have to be at the phone network level either.

It would be easy enough for a regulator to simply fine any company whose products are advertised or sold through telemarketing.

Make it the companies problem that some of their marketing contractors or affiliate schemes lead to illegal calling.

How would that work? Specifically:

- which regulator has the power to fine a company when it didn't do anything wrong?

- how would you prevent abuse, e.g. if I want to destroy your small business, I can just spend a few thousand dollars on a robocall campaign selling your products (not even claiming to be you)

How would that work for you? You would end up in prison.

The solution proposed (fine the product manufacturer) is a response to the difficulty of identifying those behind robocalling/telemarketing.

That same difficulty would arise when trying to identify those abusing the process in the way I described.

There is no difficulty in detection

There is a lack of will

If there is no difficulty in detection, then there is no need to go after a proxy (the product manufacturers) instead of the perpetrators (the telemarketing companies).

Everyone knowingly involved should go to prison. I thought I made that clear

> It would be easy enough for a regulator to simply fine any company whose products are advertised or sold through telemarketing

Small fines, for the issuer of the number used to make calls reported by more than N consumers, should do the trick. Small to accommodate false positives. Fine to create an incentive to vet before issuing numbers. Number issuers because they’re less numerous and clearly in the FCC’s jurisdiction.

If one wanted larger fines, N could be lowered but only count complaints with a recording of the call and proof it came from that number (e.g. a telephone bill). Harder to make a complaint, but also harder to turn the mechanism into a home for general grievances.

In business telephony, issued numbers have nothing to do with outbound transit. You just have a bundle of circuits/capacity that signal source and destination numbers on a per call basis, inbound and outbound. There’s no requirement that the caller ID you send is one of the numbers routed to your trunk by that provider. A branch office could accept calls only through an extension on the enterprise VoIP network, while still placing outbound calls on a local provider and sending the main headquarters number as caller ID.

I believe this discussion referral to a theoretical world after STIR/SHAKEN has been implemented globally

How would this curb the scam calls that aren't interested in selling you a product?

You know those people who say they're with Microsoft and they want to use RDP to troubleshoot your Windows installation proactively? They're not actually affiliated with Microsoft, as shocking as that may sound. Neither are the 0% credit card folks who call repeatedly from "Visamastercard" affiliated with any bank or credit card company.

Telemarket your competition.

It would also be easy enough for the organization to budget for fines or to have numerous front/shell organizations which get started, do the calls and take the money, and then don't exist when the regulators come around. We need jail time for the executives.

Forget fines. Everyone in the company needs to be charged with felonies under Rico

Spoofing numbers could be considered a criminal organization

Take down every single person

That's a little excessive. The janitor was told that they were a legitimate marketing org, and it's completely unreasonable to expect them to investigate enough to find otherwise.

No I stand by that statement. You knew you were in a scammer company.

Actions need to have consequences. But they currently have none

Presumably, you work for a company that sells stuff. How familiar are you with your sales department and everything they do? Are you willing to go to jail if you're wrong?

I'm very familiar with their sales tactics and they are legal. They don't commit felonies on every single call. If I knowingly found out they were commiting crimes and did nothing I am guilty.

>Take down every single person

Management/c-suite? Sure. Your typical telemarketer working at minimum wage? No.

> Your typical telemarketer working at minimum wage?

If they're claiming to be the IRS so they can scam you out of iTunes gift cards, why not? They know what they're a part of.

Yes absolutely everyone. Everyone that is on the phone. They get 10 years. They absolutely know what they are doing is illegal. Fuck those people.

Stop distributibg enforcement, it creates unnecessary redundancy. Enforcement should be concentrated.

It's not a real answer though. Imagine everybody adopted it (pretend everyone is using sip/VoIP). The only thing that would change is you'd get same amount of calls from the actual numbers - what are you going to do about it then?

If the callers (who LE can get to already with enough questions) are safe now, they'd be safe after the change. Sure, the hn crowd will easily set up appropriate filtering, but we were never a viable target to begin with, so that's actually helping the spam calls reach better targets quicker.

It would maybe reduce the number of scam calls though. Spam, not do much.

Sure, it would help. If the caller ID number was related to the true owner, phone companies would stop the scammers and citizens could log spam calls then sue the owners. The law allows you to collect cash penalties from anyone spam calling.

Good luck suing a call center in Bangalore when you live in the U.S.

Suing is for spamming. Spamming is an unsolicited legitimate marketing call. Most of those calls originate in the US or are selling the products of US companies who hired them.

If appropriate laws existed, you could still put pressure on them. Something like "if your international partner sends more than X spam calls, you're responsible for them". The telco would have a choice of getting fined or dropping the interconnect / filtering that source. On the other side, the telco in Bangalore doesn't want to lose the ability to handle calls to the US, so starts monitoring itself.

International phone companies could be required to put up a bond that citizens could sue against.

If I could block all calls from Bangalore, that would be good enough for me.

Telco billing records are very detailed. They can identify the call from the time it reached you and know who initiated it (their customer or some specific other telco). The fact you see the originating number is irrelevant to the telco and shouldn't matter for any applicable law.

To sue someone, the court would still need to ask the telco about the owner of the number. Right now they would need to ask for the initiator of a call to XYZ at 12:34. Seeing the number doesn't change anything.

This is not completely true. Especially in VoIP, there are usually 1-5 layers of FCC-licensed phone companies involved in the call. The CLEC (Bandwidth, Level 3, AT&T, Comcast, et al) sell their numbers to Class 3 ITSPs like Flowroute, SIP.US, VOIP.ms, SIPSTATION, Twilio, etc, and then frequently that service is once again sold to another vendor that might have an actual end-user using the service. Just because one company's switch says "where the call came from" does not mean anything related to the actual calling party.

You're completely right. I didn't mean it's going to be a single step. If the answer is: it came from another telco X, you ask them. And repeat.

Getting those records would likely require a lawyer and that would require a lot of spam calls. I'm talking about suing in small claims court which would be more likely for most people. Having a true caller ID would put a critical document directly in the citizens hands.

> It would maybe reduce the number of scam calls though

Sounds great, lets do that.

This is akin to the BCP 38[1] problem with ISPs. I suspect few SIP-based telcos do validation of originating numbers today.

STIR/SHAKEN has the potential to help here, but there are still shortcomings, e.g. when originating calls with source numbers obtained from other carriers[2].

1. https://tools.ietf.org/html/bcp38

2. https://support.bandwidth.com/hc/en-us/articles/360025664313...

They haven’t fixed it. They just made what scammers do illegal for one more reason. Unless they make telecommunication operators liable, this will remain a problem.

Yep. Solution is recursive fines. Spam calls from network provider? Issue a warning. Keep it up? The fines start and don't stop coming in until the calls stop. They ignore the fines and are outside your jurisdiction? Warn every company they transit through. They don't block them? The fines start. Rinse, repeat, until you find someone who you can effectively fine or who cares about the warnings (because you can effectively fine them) and they either bring down the banhammer (which those other entities will care about, even if they don't care about the fines) or they find a technical solution.

These calls are largely preying on the elderly. They're despicable and it's disgusting it's taken us so long to stop them—there's no excuse, it's not like human beings don't control every part of what's happening, this isn't some force of nature. Nuke them from orbit.

My mother-in-law has alzheimers and is in a care facility, but she really values the independence of having a phone, say to call family.

In the past she'd been scammed by the "your grandson is in jail" scam and the bank stopped her.

One day she was really worked up because she was sure someone was going to come to her facility at 4pm and demand their money from her, and it was all tangled into my family needing money or something. Luckily she has no direct access to funds anymore.

Enough was enough. I found a product that I could put on her phone line that lets me white list her calls. It also suppresses the first ring because with Alzheimers, the last thing you need is the phone ringing once constantly.

It isn't perfect -- it has to be configured over bluetooth and only from a cell phone. I'd prefer a device that lets me do this remotely over the web, but this is what we're using for now:


For ourselves, I have a linux box running ncid. I just wish I could find a first ring suppressor that works on POTS. The FRS22100 I tried resulted in a fast busy for any caller -- didn't conform to whatever the central office required.

I get a ton of calls offering to lower my interest rate. Im surprised that the card issuing companies mentioned by name in the call- visa, MasterCard, etc. don’t take the same tactic that Microsoft used to take down botnets. Microsoft used trademark law to sue the botnet operators and have their domain names seized. Why can’t the same happen here with any US based voip operator they may be using?

Here's a minor technical correction about payments lingo. Visa and Mastercard aren't issuers.

Payments are kind of a world of their own, but basically there are 5 parties involved in a credit card purchase:

1. The party that receives the payment. For example, a retailer like Amazon or Target. In payments lingo: "merchant".

2. The merchant's bank. This is where funds are going to end up. In payments lingo: "acquiring bank" or "acquirer" (because they're acquiring funds I guess).

3. The customer's bank. This is where funds are going to come from. Usually on credit. For example, Citi, Capital One, Chase, HSBC, Bank of America. In payments lingo: "issuing bank" or "issuer" (because the customer has an account with them and they issue the actual card).

4. The customer, the person who makes the purchase. This person's name is printed on the credit card. In payments lingo: "cardholder".

5. A payments network. These arrange payments (including operating computer networks as well as defining rules and policies) and facilitate the purchase. For example, Visa, Mastercard, American Express. In payments lingo: "credit card association".

Back to something vaguely relevant, one way you can instantly detect these scams is that they always seem to claim they're from Visa or Mastercard, then try to talk about lowering your interest rate. Your interest rate is between you (the customer) and your issuing bank (Citi, Capital One, etc.), not between you and the card association. Visa or Mastercard doesn't care about your interest rate. The scammers are not even claiming to be from the right type of organization!

I assume they do this because they get a higher hit rate. If they claimed to be from, say, Chase, then lots of people would think "I don't have an account with them" and hang up. If they say Visa or Mastercard, odds are good that you'll think "yes, I have one of those".

There is another entity involved also, the card processor:


These scammers don't have anything like domain names that can be easily targeted in the same fashion.

A scammer using a domain may be able to conceal their identity, but they can't hide the domain name itself.

Is it currently feasible for carriers to block these calls? Like, it should be easy enough to check if the call originated internationally but the area code is domestic. This regulation would appear to compell carriers to act on that.

Apparently, this will break a lot of (cough) features (cough) that no one uses, like call forwarding. I also wonder if this will break VOIP systems that small businesses use?

The reality is that no one should care. The telephone system is broken when most of the calls we get are fraudulent. I want my phone to be useful; I don't care if fixing it breaks some phone system set up by a sketchy IT wannabe.

I am glad that you "don't care" about breaking a few million phone systems across the world. Every single IT manager, however, does care. If you start having carriers wholesale-blocking calls based on their lack of STIR/SHAKEN's verifications, then you will completely disable the vast majority of IP- and POTS-based phone systems in the country, many of which were purchased/installed in the early-2000's.

You can have the "I don't care" attitude when you have one telephone number in your life. You have to care when you have a couple hundred thousand telephone numbers in your life, like I do, working for a Class 3 ITSP.

I have to side with the GP here. The options are completely losing the telephone system because nobody trusts anything coming from it anymore, or having those pre-2000 systems upgraded. It's a no-brainier.

Yet, we seem to be committed into destroying the entire system.

It's really amazing how little trust people have in the telephone system now.

At least on personal devices/lines, everyone I've talked about it with now refuses to pick up any call from a number they don't recognize, which is really the only option when 2/3 of the calls you get daily are spam. Most just assume that if it's important, the caller will leave a message.

> everyone I've talked about it with now refuses to pick up any call from a number they don't recognize

This is true, and also burned me last weekend. My dog set off my alarm system and the phone identified ADT as "potential spam" so I didn't answer it. The police showed up at my house. Fixed by adding ADT to my contacts, but the distrust is real.

everyone I've talked about it with now refuses to pick up any call from a number they don't recognize

I wish this was the case where I work. My boss answers every single call that comes in to her cell phone. Sometimes 15 a day. Then everyone in the office has to listen as she tries to interrupt the sales pitch and tell them "take me off your mailing (!) list."

And she's a millennial. I thought millennials didn't use voice.

> If you start having carriers wholesale-blocking calls based on their lack of STIR/SHAKEN's verifications, then you will completely disable the vast majority of IP- and POTS-based phone systems in the country, many of which were purchased/installed in the early-2000's.

It's far too early for carriers to block by default, but consumers should have the choice. If I could set my phone to give a busy signal to any caller not authenticated through STIR/SHAKEN, I would in a heartbeat.

This would be great. Push back voluntarily on bad actors.

Internet-wise, we blocked pop-ups and installed adblockers when we lost trust in the platform. I see no difference in applying that to telephony. Amputate or lose the patient.

Internet-wise, we blocked pop-ups and installed adblockers when we lost trust in the platform

And then pop-ups were replaced by divs, and adblockers got blocked by paywalls.

I don't think either problem has been solved yet.

Doesn't the article say such "features" will be banned under new FCC rules?

Isn't "call forwarding" another name for "caller ID spoofing"?

Does it spoof? If X calls Y and gets forwarded to Z, does caller ID at Z show X or Y? As a possibly naive user, showing X seems like the right thing to do, since that's the number Z will be connected to if someone answers.

I'm all for it, but one gripe I have about Consumer Affairs' reporting is that they interchange the words "regulations" and "law" to mean the same thing. As we witnessed during the Net Neutrality see-saw, regulations enacted by the FCC are not "law", and can change at the whim of a new administration.

Great! I'll tell all the scammers calling my phone that what they're doing is illegal. That should stop them.

This is additional legal cover for phone networks, allowing them to block spoofed calls with fake caller IDs in all cases (rather than most).

Since the act itself is illegal, blocking cannot be contested.

That will definitely make them reassess their choices and do the right thing. Hopefully, they will tell their scammer friends to do the same! Problem solved!

I think, honestly, it’s more a bureaucratic nightmare thing. “This wasn’t technically illegal, so we’re not going to comply with your extradition request.” Now it is.

In that case, why bother making anything at all illegal? Criminals are just going to be criminals anyway.

It's a matter of severity and demonstrable willingness to ignore consequences. Scamming and fraud can earn you a spot in prison for a serious length of time, whereas phone spoofing is probably just a fine or probation, IANAL. In general it defies reason that the people who purposely violate existing major laws are going to be dissuaded by tacking regulations onto their methods.

As I recall, certainty of punishment is generally a far more effective deterrent than severity. In any case, what I think the law would really get is leverage against the US-based phone companies who gateway the traffic onto our phone network.

I have a similar dim view of "making something illegal to patch a problem". Though I wonder if there are contract structures that require customer activity to be classifiable as "illegal" for a relationship to be terminated. Given how regulated phone infrastructure is, I wouldn't be surprised if there were laws that "guaranteed access" in the name of forcing the expansion of network access but could be weaponized by adversaries / spammers.

It does give you grounds to sue them in small claims court.

I wish (and I bet there's something on Android for this) that there was some kind of social app just for sharing scam numbers among trusted friends†. E.g., as your phone receives a call, it'd hash the number and compare it with you and your friends' reported "spam caller network". If you or your friends have marked something as a spam-originating number (number spoofing not withstanding, yesyes), it would either drop the call outright, or highlight it as potential spam call ("5 of your friends have marked this as spam!") before you need to pick up.

† Why just among your friends? Cos we all know that the minute you make it open to everyone, the marketing and MBA folks will get their fangs in it and monetize and data-mine.

The numbers are random so why would sharing the numbers help reduce anything??

I never get calls from the same number. I've had the same scammer call me 3 times in one day from 3 different numbers.

This is the scammer that has called me 100s of times in the last 2 years: http://www.caribbeandiscountsinternational.com/about/

I tried to contact Tucows to complain, no way to do that. Then, I filed a report with ICANN that Tucows was violating their contract (because I can't report abuse), and that case was closed after two weeks.

The entire system is supporting the scammers.

You’d be surprised. Maybe YOU don’t get calls from the same number (though I do at times) but it seems like scammers will use one number to call 100,000 people then switch to a second number and call again. So as long as someone reports it lots of people will benefit. It’s not a random number per call, which would make this approach unfeasible.

This shared block list is basically how Nomorobo works and it’s quite effective for me.

It seems like you don't need to have a complicated hashing and sharing network for that. A braindead scoring algorithm would cut the scammers off at the ankles.

And when some scammer uses your number (since any number can be used by a scammer, it's just a number not a phone line), then under your scheme, you get cut off from all of your friends.

This. Given the quantity andlocality of the numbers to mine, if I block them, it's only a matter of time before I block a number that matters to me.

but it seems like scammers will use one number to call 100,000 people

I seriously doubt that, given the locality to my own number.

You sometimes even get calls from your own phone number. Caller ID reported numbers don’t tell you anything.

It's not just amongst your friends, but Google already offers this in the latest versions of Android. It says "Suspected spam call" below the number during the incoming call.


Most of the phone companies have similar apps.

AT&T's seemed to work OK for the first few months. Then calls started slipping through. Then AT&T started trying to sell me an "enhanced" version for $x/month.

So now the telcos have found another way to make money from phone spam.

> I wish (and I bet there's something on Android for this) that there was some kind of social app just for sharing scam numbers among trusted friend

The problem is scammers spoof numbers. So, even if you share the number and try to call it, the number will be dead.

Seriously, if you have a good data plan, why have a phone number? The phone system is so laughably insecure and limited compared to the voip alternatives. And so riddled with SPAM. There are SIP bridges to it, for the legacy calls.

Everyone expects you to have a phone number for some things. Certainly many online services expect you to be reachable via SMS for 2-factor auth. VOIP service plus a semi-decent data plan is at least as expensive as just adding on voice, and then you have two bills instead of one. You can simply ignore calls when you're not expecting one—if it actually matters they'll leave a voicemail. Those get transcribed so I don't even need to listen to see whether it was a scam or something important.

It has made phone calls probably the worst way to reach me, though. Not sure why I don't receive more text spam, which is nearly nonexistent—must be some technical reason.

Maybe technical or maybe just that the person who is going to send off money so that their social security number isn't taken away or so that the police don't come to their house and arrest them on felony charges are more likely to respond to a call--even a robo one--than a text message.

On my cell phone, the biggest annoyance is that I have to turn on Do Not Disturb when traveling internationally which means only the specific numbers in my contacts list can reach me in an emergency at all hours.

> Maybe technical or maybe just that the person who is going to send off money so that their social security number isn't taken away or so that the police don't come to their house and arrest them on felony charges are more likely to respond to a call--even a robo one--than a text message.

That occurred to me, but you can direct someone straight to a website that can then do god-knows-what with a text message, and they're even easier to automate and do in quick, huge batches than phone calls, so even at a much lower % success rate I'd think they'd be viable for scammers, and maybe even preferable to calls. Maybe they're more expensive to send? That'd be dumb, but then phone billing's never made any sense.

You guys are still thinking in terms of the phone system with publicly accessible numbers!

In future networks you’ll have to have an invitation path from the user, and if it gets abused you just mute a subpath so those people’s invites don’t result in auto-accepting messages. Simple!

A -> B -> C -> D

D attempts to send a message to A’s mailbox

A’s mailbox automatically accepts the message

If too many messages were sent from the subtree of invitations of B or C, just mute that branch.

Then the others have to jump through hoops like proof of work or pay crypto to be whitelisted and start a conversation to you.

Fixes all SPAM. You can make this compatible with an email gateway where the invitation is added as an email alias such as “foobar@dontspamme.com” and then emails to and from “foobar@“ would be proxied as messages to the actual non-email system I described, where foobar was the gateway corresponding to the “path A -> B”. It was compromised? Don’t accept emails from any new unknown email addresses sending to that endpoint without jumping through hoops.

This is better than nothing. It won’t stop criminals who pretend to be from IRS or Microsoft support. But maybe it might help against some US based businesses which use phone spamming like expiring car warranties and such.

Do we even need spoofing at all anymore, are there legitimate uses which can't reasonably be resolved other ways?

While I love that the FCC has fixed this (especially the "scammers spoof a U.S. number, usually one in the victim’s area code" part), something tells me the scammers won't just roll over and go "whelp, there's nothing we can do!". They'll just find a new "loophole".

Nothing is fixed. The spoofed calls will continue. This just makes it illegal but they’ve already been breaking the law scamming people.

Best feature coming in iOS 13 is an option to silence all calls from non-contacts.

I installed the public beta for that alone because I get so many of these types of calls, and it's saved me 19 interruptions so far this week.

Obviously blocking all unknown numbers isn't an option for everyone, but it's been great for me.

That's it people! They've cured spam. We can all go home... right?

Legal solutions don't tend to work great for technical problems.

I will just continue to block and report spam for calls from all numbers which I did not myself enter into my contacts.

If they want, the local phone companies can easily block international calls that have local caller ID.

Ooo they passed a law making it "illegal", that will stop the international scammers. Just like the war on drugs. Pai knows this stops nothing. Fuck that piece of shit, even when it looks like he's doing good he's actually doing nothing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact