Overview of spam detection

Robocall is a call that delivers pre-recorded messages through auto dialing software. Fraudsters use robocall with spoofed caller ID to acquire something of value from the victims.

To protect consumers against spam calls, service providers are implementing STIR/SHAKEN in their network. This is already in place in United States and Canada in adherence with FCC guidelines. This helps to identify suspect calls giving users confidence in answering calls from unknown numbers. The end users benefit from service providers verification of caller-ID.

Understanding the STIR/SHAKEN standard

Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) is a framework of interconnected standards. This ensures that calls traveling through interconnected phone networks have their caller ID signed as legitimate by originating service provider and validated by the receiving service provider before reaching the consumers.

To convey verification results through the verstat parameter in the SIP P-Asserted-Identity header, the terminating service providers use these options:​

  • TN-Validation-Passed— validation was successful with result as A, B, C attestation to the calling number.

  • TN-Validation-Failed— caller could not be verified.

  • No-TN-Validation— this can be result of verification failure for various reasons. For example: The E.164 number malformed.

SHAKEN attestation levels A, B and C let the originating service provider attest their relationship to the calling numbers.​

  • A: the service provider can attest that caller has the right to use the phone number as the caller ID.​

  • B: the customer is known. However, it is unknown if they have the right to use the caller ID.​

  • C: it doesn't meet the requirements of A or B. For example: an international call.​

Verstat value and attestation

Webex Calling processes the verstat parameter in the incoming call and displays the Caller-ID disposition on the Cisco clients.

This table shows the verstat information that is used to drive caller-ID notification to clients:

Vertsat value

Attestation level

Value that is displayed on Cisco clients

TN-Validation-Passed

Not Provided

Verified Caller

A

Verified Caller

B

Possible Spam

C

Possible Spam

TN-Validation-Failed

Any value

Potential Fraud

No-TN-Validation

Any value

Possible Spam

No verstat Parameter

Any value

Possible Spam

Cisco clients that support Unified Call History show an icon according to the Caller-ID disposition in the call history record.


On Webex App, the attestation text and icon is displayed and on MPP devices only the icon is displayed.

Verification of the on-net calls

In addition to the PSTN calls, Caller-ID disposition for on-net calls is done according to following rules:

  1. On-net call between Webex calling users—Verified user (with icon).

  2. On-net call from Cisco Unified Communications Manager user to Webex Calling user—Verified user (with icon). Calls from on-premises Cisco Unified Communication Manager user are classified based on the Caller-ID that matches with the configured enterprise dial-plan.

  3. On-net call from Webex Calling user to On-Premises Cisco Unified Communications Manager user—No indication on Cisco Unified Communication Manager client.

For mid-call features such as Call Transfer, Call Park, Call Pickup, Call Forwarding, and Caller ID, the Caller-ID disposition is based on the processing of the verstat value of the initial call leg.

When an incoming call to a Webex Calling user is forwarded and the calling number is changed, then Caller-ID disposition is decided based on verstat value in the incoming call request.

Supported devices

Spam detection is supported on the following Cisco endpoints:

  1. Webex App—Desktop and Mobile version 42.5 or higher.

  2. MPP phones—Supports 6800, 7800 and 8800 MPP devices with firmware version 11.3.7 or higher.

Administrator Configuration

Provision user notification using Control Hub

An administrator can configure sending the user indication for unverified callers. An administrator can configure to block calls that have failed STIR/SHAKEN validation. This ensures that potential fraud calls are not sent to user’s endpoint.

To configure the notification settings at the organization-level, follow these steps:

1

Navigate to https://admin.webex.com, go to Services > Calling.

2

Go to Service settings and scroll down to Caller ID Validation.

3

Use the toggle to activate the following options:

  • Block calls that failed Caller ID validation- If enabled, all calls that failed validation as per STIR/SHAKEN validation are blocked. These calls are not routed to user's endpoints. However, the calling number is added to called user’s call history. By default, this value is disabled.

  • Present calls from unverified callers as normal calls- This option is enabled by default. Any calls from unverified callers are sent to endpoints without indication.

    If the PSTN service provider for an organization has enabled STIR/SHAKEN in their network, then they can disable this setting. When disabled, calls from unverified callers display as Possible Spam at the user’s endpoint.

Configure CUBE for spam indication

To pass the verstat information to Webex Calling, organizations in United States and Canada that use on-premises PSTN connected to Webex Calling using Local Gateway or CUBE must configure these settings on CUBE.

For calls from PSTN, where the service provider supports STIR/SHAKEN:

Configure CUBE, if the PSTN service provider sends verstat parameter during new call setup:


The tags referenced here are based on the Local Gateway Configuration Guide.


Doing this configuration even when the service provider is not sending the verstat parameter will not affect calls. 

voice class sip-copylist 300
sip-header From
sip-header P-Asserted-Identity
sip-header P-Attestation-Indicator
voice class tenant 300
copy-list 300
voice class sip-profiles 200
rule 50 request INVITE peer-header sip P-Asserted-Identity copy "(;verstat=[A-Z|a-z|-]+)" u01
rule 51 request INVITE peer-header sip From copy "(;verstat=[A-Z|a-z|-]+)" u02
rule 52 request INVITE sip-header P-Asserted-Identity modify "@" "\u01@"
rule 53 request INVITE sip-header From modify "@" "\u02@"
rule 54 request INVITE peer-header sip P-Attestation-Indicator copy "(.)" u03
rule 55 request INVITE sip-header P-Attestation-Indicator add "P-Attestation-Indicator: Dummy Header"
rule 56 request INVITE sip-header P-Attestation-Indicator modify "." "P-Attestation-Indicator: \u03"

For calls from PSTN, where the service provider does not support STIR/SHAKEN:

If the PSTN provider does not send verstat information in the incoming call, do not change the default value of the Present calls from unverified callers as normal calls setting on Control Hub. If the setting is disabled, then users see Possible Spam indication on their clients.