Overview of spam detection

Robocall is a call that delivers pre-recorded messages through auto dialing software. Fraudsters use robocall with spoofed caller ID to acquire something of value from the victims.

To protect consumers against spam calls, service providers are implementing STIR/SHAKEN in their network. This is already in place in United States and Canada in adherence with FCC guidelines. This helps to identify suspect calls giving users confidence in answering calls from unknown numbers. The end users benefit from service providers verification of caller-ID.

Understanding the STIR/SHAKEN standard

Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) is a framework of interconnected standards. This ensures that calls traveling through interconnected phone networks have their caller ID signed as legitimate by originating service provider and validated by the receiving service provider before reaching the consumers.

To convey verification results through the verstat parameter in the SIP P-Asserted-Identity header, the terminating service providers use these options:​

  • TN-Validation-Passed— validation was successful with result as A, B, C attestation to the calling number.

  • TN-Validation-Failed— caller could not be verified.

  • No-TN-Validation— this can be result of verification failure for various reasons. For example: The E.164 number malformed.

SHAKEN attestation levels A, B and C let the originating service provider attest their relationship to the calling numbers.​

  • A: the service provider can attest that caller has the right to use the phone number as the caller ID.​

  • B: the customer is known. However, it is unknown if they have the right to use the caller ID.​

  • C: it doesn't meet the requirements of A or B. For example: an international call.​

Verstat value and attestation

Webex Calling processes the verstat parameter in the incoming call and displays the Caller-ID disposition on the Cisco clients.

This table shows the verstat information that is used to drive caller-ID notification to clients:

Vertsat value

Attestation level

Value that is displayed on Cisco clients

TN-Validation-Passed

Not Provided

Verified Caller

A

Verified Caller

B

Possible Spam

C

Possible Spam

TN-Validation-Failed

Any value

Potential Fraud

No-TN-Validation

Any value

Possible Spam

No verstat Parameter

Any value

Possible Spam

Cisco clients that support Unified Call History show an icon according to the Caller-ID disposition in the call history record.

On Webex App, the attestation text and icon is displayed and on MPP devices only the icon is displayed.

Verification of the on-net calls

In addition to the PSTN calls, Caller-ID disposition for on-net calls is done according to following rules:

  1. On-net call between Webex calling users—Verified user (with icon).

  2. On-net call from Cisco Unified Communications Manager user to Webex Calling user—Verified user (with icon). Calls from on-premises Cisco Unified Communication Manager user are classified based on the Caller-ID that matches with the configured enterprise dial-plan.

  3. On-net call from Webex Calling user to On-Premises Cisco Unified Communications Manager user—No indication on Cisco Unified Communication Manager client.

For mid-call features such as Call Transfer, Call Park, Call Pickup, Call Forwarding, and Caller ID, the Caller-ID disposition is based on the processing of the verstat value of the initial call leg.

When an incoming call to a Webex Calling user is forwarded and the calling number is changed, then Caller-ID disposition is decided based on verstat value in the incoming call request.

Supported devices

Spam detection is supported on the following Cisco endpoints:

  1. Webex App—Desktop and Mobile version 42.5 or higher.

  2. MPP phones—Supports 6800, 7800 and 8800 MPP devices with firmware version 11.3.7 or higher.

Administrator Configuration

Provision user notification using Control Hub

An administrator can configure sending the user indication for unverified callers. An administrator can configure to block calls that have failed STIR/SHAKEN validation. This ensures that potential fraud calls aren’t sent to the user’s endpoint.

To configure the notification settings at the organization-level, follow these steps:

1

Navigate to https://admin.webex.com, go to Services > Calling.

2

Go to Service settings and scroll down to Caller ID Validation.

3

Use the toggle to activate the following options:

  • Block calls that failed Caller ID validation- If enabled, all calls that failed validation as per STIR/SHAKEN validation are blocked. These calls aren’t routed to the user's endpoints. However, the calling number is added to called user’s call history. By default, this value is disabled.

  • Present calls from unverified callers as normal calls- This option is enabled by default. Any calls from unverified callers are sent to endpoints without indication.

    If the PSTN service provider for an organization has enabled STIR/SHAKEN in their network, then they can disable this setting. When disabled, calls from unverified callers display as Possible Spam at the user’s endpoint.

The call indication features and the Called ID settings apply only for Webex Calling locations in the United States of America and Canada. Other locations see calls presented normally, regardless of the Caller ID settings.

Configure CUBE for spam indication

To pass the verstat information to Webex Calling, organizations in the United States and Canada that use on-premises PSTN connected to Webex Calling using Local Gateway or CUBE must configure these settings on CUBE.

For calls from PSTN, where the service provider supports STIR/SHAKEN:

Configure CUBE, if the PSTN service provider sends the verstat parameter during new call setup:

The tags referenced here are based on the Local Gateway Configuration Guide.

Doing this configuration even when the service provider isn’t sending the verstat parameter won’t affect calls.


voice class sip-copylist 200
 sip-header From
 sip-header P-Asserted-Identity
 sip-header P-Attestation-Indicator
dial-peer voice 200
 voice-class sip copy-list 200
voice class sip-profiles 100
 rule 90 request INVITE peer-header sip P-Asserted-Identity copy "(;verstat=[A-Z|a-z|-]+)" u01
 rule 91 request INVITE sip-header P-Asserted-Identity modify "@" "\u01@"
 rule 92 request ANY peer-header sip From copy "(;verstat=[A-Z|a-z|-]+)" u02
 rule 93 request ANY sip-header From modify "@" "\u02@"
 rule 94 request INVITE peer-header sip P-Attestation-Indicator copy "(.*)" u03
 rule 95 request INVITE sip-header P-Attestation-Indicator add "P-Attestation-Indicator: Dummy Header"
 rule 96 request INVITE sip-header P-Attestation-Indicator modify "Dummy Header" "\u03"
 rule 97 request INVITE sip-header P-Attestation-Indicator modify "P-Attestation-Indicator: $" "Remove: Me"
 rule 98 request INVITE sip-header Remove remove

For calls from PSTN, where the service provider doesn’t support STIR/SHAKEN:

If the PSTN provider doesn’t send verstat information in the incoming call, don’t change the default value of the Present calls from unverified callers as normal calls setting on the Control Hub. If the setting is disabled, then users see the Possible Spam indication on their clients.