> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# STIR/SHAKEN spoofing complaint: trace, mitigate, escalate

> A subscriber complains they're being called by their own number. Pull the SIP trace, check SHAKEN attestation, identify the originating carrier, mitigate at the SBC, and file the formal complaint upstream.

A subscriber files a complaint: they're getting harassment calls displaying their own number as the caller ID. The carrier has to trace the call origin, verify the SHAKEN attestation, mitigate at the SBC for the subscriber's number, and file the formal complaint with the originating carrier and the FCC's Robocall Mitigation Database.

## Systems involved

| System                           | Role                                                  |
| -------------------------------- | ----------------------------------------------------- |
| Kayako / Zendesk                 | Subscriber complaint ticket.                          |
| Homer / SIPCapture               | SIP trace storage.                                    |
| SBC SSH                          | Trace the call's origination, verify Identity header. |
| STIR/SHAKEN verification service | Validate the certificate chain.                       |
| FCC Robocall Mitigation Database | Lookup the upstream carrier's RMD entry.              |
| Originating carrier contact      | Formal complaint email or portal.                     |
| FCC consumer complaint portal    | Optional escalation.                                  |
| Gmail                            | Subscriber and inter-carrier comms.                   |
| Studio Memories                  | Pattern notes on repeat-offender carriers.            |

## Walkthrough

<Steps>
  <Step title="Pull the offending calls">
    Copilot reads the subscriber complaint, identifies the affected DID, and pulls the last 48 hours of inbound calls to that DID from Homer. Three calls match the spoofing pattern.
  </Step>

  <Step title="Inspect the SHAKEN attestation">
    For each call, Copilot extracts the Identity header from the INVITE, decodes the JWT, and checks the attestation level. Two are A-attested by a known transit carrier; one is C-attested with no traceback information.
  </Step>

  <Step title="Verify the certificate chain">
    Through the verification service, validate that the signing certificate chains to a Certified STI-PA root and that the cert is not revoked. The A-attested calls validate; the C-attested call has a valid cert but minimal accountability.
  </Step>

  <Step title="Identify the originating carrier">
    Look up the OCN in the FCC Robocall Mitigation Database. The transit carrier is reputable; the originating party shows as a discount international gateway with a thin RMD filing.
  </Step>

  <Step title="Mitigate immediately">
    SSH to the SBC. Add a temporary rule for the subscriber's DID: block inbound calls where the calling number matches the called number. The rule is narrow — it does not affect any other subscriber.
  </Step>

  <Step title="Notify the subscriber">
    Copilot drafts a Kayako reply: we traced the calls, applied a block, here's what STIR/SHAKEN told us, here's what we can and can't do about the upstream source. Reviewed and sent.
  </Step>

  <Step title="File the upstream complaint">
    Through Gmail, draft a formal complaint to the transit carrier's robocall mitigation contact: example call IDs, Identity header contents, attestation level, evidence of harassment pattern. The transit carrier's response time SLA is logged.
  </Step>

  <Step title="Optional: FCC escalation">
    For repeat-offender originating parties (saved as memories from prior incidents), file the FCC consumer complaint as a courtesy escalation with the same evidence pack.
  </Step>

  <Step title="Watch for recurrence">
    Copilot sets a 7-day watch on the subscriber's DID for the same pattern. If it recurs, the ticket reopens automatically with the running history attached.
  </Step>
</Steps>

## Where Studio earns its keep

* The Identity header decoding, the cert chain check, and the RMD lookup happen automatically — the engineer doesn't switch between three browser tabs and a JWT decoder.
* The mitigation is narrow and surgical at the SBC, not a policy change that hurts other subscribers.
* The inter-carrier complaint references actual evidence — the cert serial, the OCN, the call IDs — so it gets taken seriously upstream.
* The repeat-offender memory builds over time, so the next call from the same source produces a stronger escalation immediately.

## Related

<CardGroup cols={2}>
  <Card title="Memories and search" icon="brain" href="../../memories-and-search" arrow="true" cta="Build patterns">
    Save repeat-offender OCNs and patterns for next-time correlation.
  </Card>

  <Card title="Procedures" icon="workflow" href="../../procedures" arrow="true" cta="Standardize">
    `Spoofing complaint triage` with DID as the argument.
  </Card>
</CardGroup>