“How do I bypass anti-spoofing?”

Simon Woodhead

Simon Woodhead

26th July 2022

By Simon Woodhead

TLDR: We’re not going to answer that question, but we are going to explain why! The best way to avoid anti-spoofing procedures is simply not to spoof numbers!

OK, this is a question we’re getting a lot in our support queues and I’ve had directly from various channels, relating to both voice and SMS. I’m going to attempt to answer it.

In the old days of the PSTN a phone number was generally attached to a physical device and the only originator of calls on that number was the line-provider. National calls had national numbers, international calls had international numbers or, more often, no numbers as the international CLI was often stripped. Then enter VoIP and one can originate calls anywhere, ostensibly from anywhere.

At one level, this is a great thing. It means a service provider in the UK can sell service to an Irish company and make calls to its Irish customers presenting its local Irish number, even though those calls may actually be terminated through us. At another level, this is awful. It means a bucket-shop in Mumbai can place spam calls to old people in Italy, spoofing a number in their own town to improve answer rates. Now, technically and without being racist, you tell me where the difference between those is? There really isn’t one and just to stop the wokes getting agitated, the legitimate service provider could (and often is) just as easily be in Mumbai and the bucket-shop in the UK; it matters not. 

International CLI used to be hopelessly unreliable. I remember we used to publish lists of the destinations to which CLI was ‘guaranteed’ and that was a measure of quality – the spiv who resold free minutes on a Jamaican SIM bank could not do that of course. This too was a double-edged sword though – passing CLI is desirable unless it is spoofed in which case see above.

Then came surcharges, not our half-arsed anti-competitive nonsense that lead Ofcom to say such face-palm worthy pearls of wisdom as “without valid CLI I don’t know where the call came from”, but those by the French, which at the time we lauded for curbing nuisance calls. They’re now present in many countries around Europe but, like our own effort, actually encourage spoofing – spoofing gets around the surcharge on international calls, at least until the international gateways catch on.

So the go-to way around that was local origination and indeed we stack up pretty well there.  In many countries we originate calls locally which means they hit the local PSTN through a local operator rather than traversing n transit operators to find the default route into the country (usually the incumbent) with all the other international traffic of every nature. That’s good then. Indeed for us it means we have many customers in overseas countries who are using us to terminate local traffic into their own country. Or did…

Recently though we’ve been asked ever more questions such as “Do you have a PoP in Seoul?”, “If I present an Irish CLI will you pass it?” and so on. These are really leading to the question in the subject, just avoiding asking it directly! The bar has been raised. 

Take Portugistan (made up country I hope) as an example and let’s assume there are just two operators there and we interconnect with one of them, operator A. Obviously we have to comply with operator A’s policies and they may require, for example, the country of the network number and presentation number to match. Beyond that though, we can terminate calls to the Portugistani PSTN with a local CLI via Operator A. This means, for example, that one of our customers can carry all the traffic for a Portugistan bank or the electricity company, integrating with world-leading software and delivering numerous benefits to all. However, in recent years Operator B has observed calls coming into its own network (from us via Operator A) presenting its (Operator B’s) own numbers as CLI because said bank or electricity company is its customer; it has also seen reduced revenue. Much angst and bravado ensues because however legitimate the use case, Operator B doesn’t like it, can cite an equally bad comparative use case and threatens to take Operator A to the local Regulator for spoofing its numbers. Operator A complies, traffic stops, local bank resumes paying oligopolistic rates to Operator B and the customer experience returns to the 1970s as our customer declares Portugistan a no-go zone. 

This is happening all over the world in the name of anti-spoofing. It is great to contain that bucket shop trying to deceive people and we 100% support that cause; but it is less great for the international service provider with legitimate customers in those countries. Our example is clearly pro-market, and based on a real one, but it could equally have been a Portugistan old person being scammed – the fairness and morality of this depends entirely on use-case. Ironically though, if you scroll up a few paragraphs, the Jamaican SIM bank is actually locally originated using a local SIM card presenting a local number and probably provides a cheap option for the scammer. That used to be a bad thing at so many levels, and a legitimate operator wouldn’t consider that route. It goes to show though that the fall-out from these policies isn’t as symmetric as the morality of the use cases.

This is only going to get more and more restrictive though. In our own country, for calls coming in from overseas, one major provider simply doesn’t appear to care and is the largest source of international crap going, but kind of necessary to accept calls from. Another has a jobsworth policy that does filter some spoofed traffic but already causes some call scenarios to fail. And we of course have our own policy relating to our numbers as CLI, which is different to either. These are self-appointed policies though so the experience will vary according to which route the call takes into the UK, which the terminating operator has no control over. That said, Ofcom is threatening to think about the possibility of catching up at some future date.

Going the other way – calls originating with you and passed to us for termination – it is going to be more and more problematic to present a local number to international markets and is going to lead to increasingly inconsistent user experience. We’re architected to give the best chance of success where the traffic is legitimate (we have a once-strike policy where it isn’t but can usually sniff it before it comes), but we cannot control local policy, official or self-appointed.

As we noted with STIR/SHAKEN, the ultimate consequence of all this is that the only provider able to originate calls will be the one also terminating them, as they are the only one able to attest the legitimacy. Ultimately that’ll be the local in-country operator at whatever rate and feature set they choose, unconstrained, to apply. That feels like a massive step back for progress but whether it is good or bad socially is variable and we recognise the need to stop the bad traffic.

The general advice at this stage is that if you’re calling overseas from the UK, present one of the UK numbers allocated to you, with usual guidelines applying. Similarly, calling from the US, present one of the US numbers allocated to you, with usual guidelines applying. Save for specifically blacklisted numbers, nobody is yet banning numbers based on which country they appear to be coming from, even the French! That doesn’t stop some of our peers, endorsed by the Regulator, thinking they can charge on that basis though.

Related posts