US Text Message Traceback – How
Does It Differ from Voice Traceback?
Alex Bobotek
Version July 16, 2021
SMS carrier messages, like voice calls, are sometimes malicious, unwanted or otherwise abusive. Identifying the originating service provider, or traceback, is typically an important step in mitigating abuse. In US telephony, voice traceback may require the cooperation of multiple transit service providers. However in SMS messaging a simple registry lookup is generally sufficient. This is due to differences in sending requirements, intercarrier routing, acceptance policies and enforcement. The following table explains these differences.
|
|
Voice |
Text |
|
Sender Spoofing |
The owner of record may originate calls using their phone number from any or even multiple service providers. Some service providers may be lax or even complicit in allowing parties to originate calls with unauthorized use of originating phone numbers. |
Service provider policies and contracts, as well as industry- standard practices prohibit the origination of messages from any service provider other than the provider of record. Spoofing is technically possible in some scenarios, but technically difficult and/or expensive. Sender spoofing is not known to be used in financially-motivated North American text spam, scam and phishing attacks. Most attacks come from abuse of numbers assigned to the attackers. A small fraction come from hijacked or compromised accounts. |
|
Authorized Originator Registry |
While various registries assign each number to a carrier of record, there is no searchable registry that indicates all numbers’ authorized senders. |
The ENUM registry and the Override Services Registry (OSR) together indicate each number’s authorized service provider. ENUM indicates the voice service provider. OSR contains entries for numbers where the SMS service provider differs. |
|
Routing |
Routing is dynamic, and may traverse multiple transit carriers depending on current least-cost and other factors. |
Routing is static, predictable and consistent. Generally the path between two numbers’ service providers is consistent, governed by exclusive connectivity contracts. Typically each service provider utilizes one of two dominant Intercarrier Vendors for transport between service providers. Smaller service providers may also use an aggregator. In most cases there are a maximum of three transport service providers between originating and terminating service providers. |
|
Hop-by-Hop Verification |
Except in limited circumstances, this is impractical, as rules may permit calls to be legitimately originated from any network. Note that STIR standards allow for some indication of origination and transport service providers. In some cases this may be used to help identify suspicious traffic flows. |
Each transport service provider checks to ensure that all received messages have originating phone numbers that are owned by or are consistent with authorized routing through the service provider from which the message was received. |
|
Enforcement |
While call blocking has become much more common with regulatory changes and new technology deployments, blocking is hampered by difficulties in identifying originating service providers, unauthorized spoofing, duties to complete calls and requirements to accept calls from even complicit service providers originating no legitimate traffic. |
Regulations permit service providers to block specific sending numbers and even all traffic from specific service providers. In practice, service providers that fail to maintain minimum standards of sending hygiene are disconnected by receiving service providers. Receiving service providers’ network spam filters may apply more rigorous policies to traffic from less trusted service providers. |
Text messaging data available from one or more US Carriers:
·
Call data records
o
Long retention (7 years???)
o
Data elements
§
Originating phone number
§
Terminating phone number
§
Timestamp
§
Length of message (sometimes)
§
Cell site and sector (sometimes)
§
Other parameters of little use to spam
investigations
§ Does not include message text
·
Blocked, suspicious and randomly-sampled messages
o Variable retention – usually a minimum of two weeks
o Contains a very small fraction (<1%) of the total messages
§ All messages blocked as spam
§ Messages with text, envelope or sending patterns identified as suspicious
§
A very small random sample (e.g., 1 in 10,000)
of all messages
o
Data elements
§
Originating phone number
§
Terminating phone number
§
Timestamp
§
Message text
§
Fields extracted from the message text such as
internet domains, URLs and phone numbers
§
Originating service provider (based on ENUM
routing)
§
Originating brand and messaging campaign ID (based
on 10DLC registration, if registered as 10DLC A2P)
§ Other parameters of little use to spam investigations
·
Customer spam complaints to 7726
o
Long data retention – 7 years
o
Note that these are customer assertions of
unwanted messages. They may be
inaccurate, fictitious or even malicious accusations
o
Data elements
§
Spammer’s phone number (usually, but may be missing
inaccurate)
§ Reporters phone number
§
Spam classification (spam, clean or classified)
§
Timestamp of report and possibly timestamp of message
§
Purported original message text (sometimes
modified by clients adding “FWD:” or other information
§
Fields extracted from the purported message text
such as internet domains, URLs and phone numbers
§
IP addresses to which internet domains resolve
at the time of report processing
§
Spammer’s service provider (based on ENUM
routing)
§
If the spammer’s phone number is on the AT&T
network, account information such as whether prepaid or postpaid and customer
identification if provided (usually)
§ Other parameters of little use to spam investigations
·
Business records
o (I’m not the authority on this)
· Possibly other data
o Very short retention (2 days??)
o
Every text message, not just blocked and
suspicious
Text messaging data may also be available from originating
service providers and spam filter providers