My cell phone receives what I consider to be an excessive amount of unsolicited text messages. Between January 1 and August 10, 2022, it received 76 unsolicited messages or 1 message every 2.9 days.
Number of unsolicited text messages per day since Jan 1, 2022
Types of messages and how I respond #
Banking fraud #
When I receive a text message with a URL that is likely banking fraud, I do the following
- Run a whois to get the registrar’s abuse@ email address.
- Take a screenshot of the message and send it to the abuse@ email with context to support the fraud claim.
Registrars take this seriously and domain take-downs often happen within 24 hours. My time involved is typically less than five minutes. This task can be accomplished while waiting for a Terraform deploy, or while someone is talking about the demise of snack selection during all-hands meetings.
Ad-hoc blocking the sending phone number for banking fraud has had little to no effect on repeat messages. I suspect carriers quickly remediate the sources of activity out fairly quickly on their own, reducing any impact I can achieve.
Odd messages that are potentially phishing attempts #
I reply if I have time or someone is still going on about snacks. Responses from the sender are rare. When I get a response it appears to be either nonsense or a case of mistaken identity/wrong number.
Real estate sale calls and messages #
For 2+ years, I have been receiving large numbers of voice calls and some text messages with cash offers to buy someone named Stan’s house. These calls and texts occur at inconvenient hours for me, something I attribute to having a phone number that is not related to the timezone that I live or work in.
Initially, I used my phone settings to route all unknown calls to voicemail and silence unknown numbers for texts. This is a less than desirable response as it also skips legitimate calls from unexpected numbers. For example, my doctor or calls about an incident response in progress. Additionally, my voicemail alerts stopped once I reached 99 unread voicemails.
I’m not a fan of voicemail, but I’m less a fan of service degradation due to
- calls not intended for me
- the red dot notification indicating I have dozens of unread text messages
I decided to review the messages and start calling the realtors back. Reviewing transcribed voicemails helped me recognize that the callers were all using the same or similar sources of data. Each voicemail left detailed personal information about Stan, including his address.
My goal was to try and find out where the realtors were sourcing their data from. The vast majority of realtors never answered my calls or voice messages. But one realtor did. I explained that they were calling at inappropriate hours, and that I was not their intended recipient. I queried their source of data. She did not know the answer on the spot, but she did reach back out and stated that they source their material from Lexis Nexis.
I went to the Lexis Nexis site to search for a way to correct the information. The takeaway from my search was
- There are dozens of data brokers
- There appears to be no way to correct when your information is associated with another persons account
- I am not the only one with this issue.
A DuckDuckGo search yields many references for this issue such as
- https://www.newsweek.com/2019/10/04/lexisnexis-mistake-data-insurance-costs-1460831.html
- https://old.reddit.com/r/legaladvice/comments/69mgbx/lexisnexis_has_incorrect_information_about_me_and/
I filled out the Lexis Nexis form to receive a copy of my data and opt out of their services that I never opted in to. My report never arrived. I did get a confirmation that my data would be removed from my account. Removing my data has zero impact to any data that they have already sold which has been subsequently re-shared into the data ether.
The real estate text messages and voicemails for Stan have not stopped.
Political messages for Stan and Gayle #
By far, the largest number of messages I receive are politically oriented. Like the real estate messages these do not come at a reasonable hour for where I live. I have replied to these messages with
- STOP and variations of
- Attempting to call the number. This was ineffective due to the majority of messages being some type of API based service
- Requesting them to stop in a frustrated tone
Nothing has stemmed the influx of political text messages
Analyzing Text Messages #
On August 10, 2022, I received a text message while on roaming and decided to see if I could take a similar approach to the political messages as I do banking fraud.
These messages are not fraud, but I do expect them to violate an acceptable use policy for a carrier since
- I can’t opt out or stop the messages
- I never opted in
- I’m not the intended recipient
- The excessive quantity
To start my investigation I signed up for a Twilio account and used Twilio’s phone lookup system. In this instance, the carrier for the message was identified by Twilio to be bandwidth.com.
Twilio Phone Lookup
I browsed to the bandwidth.com site and filled in the form. Good news, they “are here to help”.
Bandwidth.com Site
Initially the bandwidth.com form would not work, citing incorrect form data. After several attempts with the same information the form allowed submission. I received a response so fast I knew it would not be good news.
Bandwidth Response
My interpretation of Bandwidth.com’s response is
- they are a wholesale provider
- they are not responsible for how their network is used
- they would forward my complaint to an unknown entity
I replied that this was a problem of excess, cc’d their legal@email, and what I guessed to be their CEO’s email.
Their legal team auto-responded to use the form that I had already filled out. I suppose they have received these messages before, and the most logical response was to do nothing. I did not feel helped.
[email protected] response
Summary of my experience escalating to Bandwidth.com
Bandwidth.com will not disclose the sub-carrier or service, thus blocking any attempts at me resolving at the carrier level. Further, they push acceptable use entirely to their undisclosed customer.
This was a frustrating outcome. At this point I decided to analyze all unsolicited messages I received since Jan 1, 2022 and look for common ground.
Methodology #
Define spam
Any unsolicited text message. Messages that do not meet this requirement
- Personal messages
- SMS verifications for service sign-ups
- Automated messages for appointments
Transcribe
I did not find a way to copy the messages from my phone directly to my computer with OS provided tools. I did not want to use a third-party tool to do this. Not deterred, I took the age-old accepted security response approach of spreadsheet-triage. I manually copied the date and source phone number for every unsolicited message into a spreadsheet. I labeled the messages with
- Classification category
- Primary Type
- Secondary Type
- Domain - If there was a domain and what the domain was
- Path - any URL text past the domain
- Image - If an image was contained
- Domain registrar
- Mentions Stan
- Mentions Gayle
- Carrier
The classifications are
- Spam - Greeting
- Spam - Survey
- Election Poll
- Fraud - Banking
- Britney Spears
- Real Estate
- Political
Primary Type and Secondary Type focus on the contents of the message. Carrier is the phone number carrier as reported by the Twilio.com phone number lookup service.
Data points #
Classification Over Time
Classification To Carrier
- For classification to carrier I shortened the carrier name. For example
Bandwidth SMSEnabled - Bandwidth CLEC - Sybase365was shortened toBandwidth.com. The mapping is posted in the Appendix. NullandUnknownare distinct responses from the Twilio lookup service. Those responses are been preserved in the chart.
Bandwidth.com and Telnyx cover the majority of political messages.
Carriers To Text Messagse With Domains
- Text messages with no domain are indicated by
FALSE.
Domain mapping
The majority of political domains are fronts for hxxps://winred.com
True: Domain fronts for winredFalse: Domain does not front for winred- Text messages without domains have been filtered out
I browsed to the Winred site to opt out of messages. Their site has a chatbot that provides categories of questions, including text messages.
Winred’s response is to work with each campaign individually. The issues with this are
- Volume - You attempting to mitigate a many-to-one attack
- New sources - There is no source of truth, each campaign is a net new source
- Stop and other replies via text message are partially ignored or ignored in totality.
Winred approach is similar to Bandwidth.com; in effect, there is no practical way to stop unsolicited messages via carriers or organizations using the carriers.
In every case, the parties involved in sending claim no responsibility or authority.
Suggested industry requirements #
Note: I do not work in the carrier industry.
Carrier identification for any text message
A consumer should be able to identify the carrier or carrier customer account responsible for sending an API based or automated message. This should be trivial to accomplish via the message itself and any references via domains.
Identification via Twilio is not a consumer friendly option.
Opt-out or block the carrier’s customer account
A consumer should be able to send a single STOP response and block all messages from the carrier customer account.
Mobile service providers should take a hostile approach
Some API-based senders are not operating in good faith. Providers and MVNO’s should take a hostile approach towards senders. I am not a fan of my mobile phone provider choosing what I can and cannot see. But this is service degradation at this point. Take the same approach you would for any other network-based attack and null route it.
STOP should not convert to known sender
Replying STOP to an unknown sender moves the customer to a known sender status on iPhones. This effectively disables the mitigation. Further, STOP should be standardized. Not Stop2End or Stop=End.
The FTC should add a portal
Currently, the FTC recommends using your phone messaging settings to block this activity. This method does not work in a many-to-one attack. The FTC should add a portal where complaints can be escalated, investigated, and sources fined or shut down.
Potential downsides of suggestions
I suspect customers of API based carriers will continue to act in bad faith. Any identification capabilities are likely to take the route of cookies where companies choose overtly obtrusive implementations rather than following the spirit of the regulation. However, text messages offer limited real estate and I suspect that egregious implementations will have an equally negative impact to the sender as the receiver.
In summary - if you have a website or legal response that immediately acknowledges abuse on your platform and how you are not responsible. You are operating in bad faith.
Let’s go Bandwidth.com
Source image from Wikipedia
Appendix #
Tools used
- Graphs built using Amazon Quicksight
- Keynote
- Spreadsheets
- Skitch
- Twilio Phone Lookup
Screenshots of text messages #
I have truncated domains and other information that may be associated with my phone.
How to read this data #
Messages are organized by categories
- Spam - Greeting
- Spam - Survey
- Election Poll
- Fraud - Banking
- Britney Spears
- Real Estate
- Political
- Democratic
- Republican
Within categories messages are ordered left to right, above to below.
- Messages on the left arrived before messages on the right
- Messages on the above arrived before messages below
The number screenshots will exceed the number of messages in chats. I did not count images and multiple text messages sent at the same time as distinct messages.
Spam - Survey #
Spam - Greeting #
Election Poll #
Fraud - Banking #
Britney Spears #
Real Estate #
Political #
Democratic #
Republican #
Bandwidth.com’s Acceptable Use Policy #
Section: Continuous or Repetitive Calls and Messaging.
Carrier Mappings #
| Name reported by Twilio | Short name for graphs |
|---|---|
| Bandwidth SMSEnabled - Bandwidth CLEC - Sybase365 | Bandwidth.com |
| Bandwidth.com CLEC, LLC | Bandwidth.com |
| Bandwidth/13 - Bandwidth.com - SVR | Bandwidth.com |
| Bandwidth/20 - Bandwidth.com - SVR | Bandwidth.com |
| Bandwidth/Zipwhip/3 - Toll-Free - SVR | Bandwidth.com |
| Commio, LLC | Commio |
| Google (Grand Central) - SVR | Google Grand Central |
| Hook Mobile - Sybase365 | Hook Mobile |
| Null | Null |
| Unknown | Unknown |
| Plivo - SVR | Plivo |
| T-Mobile USA, Inc. | T-Mobile USA |
| Telefinity/teli.net - SVR | Telefinity |
| Telnyx - Level3 - SVR | Telnyx |
| Telnyx - Telnyx - SVR | Telnyx |
| Telnyx - Windstream - SVR | Telnyx |
| TextNow - Bandwidth.com - SVR | Bandwidth.com |
| TextNow - Neutral Tandem - SVR | TextNow |
| Twilio - SMS/MMS-SVR | Twilio |
| Twilio - Toll-Free - SMS-Sybase365/MMS-SVR | Twilio |
Updates #
August 29, 2022
This morning, I received another realtor call for Stan. I explained the situation to the realtor, and he took the time to share information on their data set with me. This particular realtor is sourcing data from three companies.
- True People Search [ truepeoplesearch.io ]
- Fast People Search [ fastpeoplesearch.info ]
- Lexis Nexis [ lexisnexis.com ]
He also shared that there were two phone numbers listed for Stan. My phone number and another number with the same last seven digits, but an alternate area code. Example:
- 415-123-1234
- 210-123-1234
I appreciate another realtor taking the time to help triage data broker false positives. I recommend inquiring into the false positive rate and data validation methods before entering into any contract or commercial services with these companies. There is no method for me to validate the statistical occurrence of matching numbers for individuals across area codes. I suspect the occurrence rate to be exceptional small and this example indicative of serious quality control issues.
I have reached out via a contact form to Fast People Search and email to True People Search in an attempt to have my information removed from Stan’s records. Both sites have opt-out forms, but they are only for the person associated with the data, Stan.
(c) Michael Bentley 2022
Contents may not be republished without written consent.