Protected sender ids - alphagov/notifications-manuals GitHub Wiki

Introduction

Protected senders definition: scammers try to use some SMS sender names to impersonate companies or organisations. For example they may pretend to be courier companies, banks, or HMRC. To combat this, British telecoms applied some restrictions, so that these sender names can only be used by services/organisations/companies they refer to. It is also called Trusted Brands. BT maintains a list of those protected sender IDs/names. We use their list to populate our own list of protected sender names. BT's list has both government and non-government sender names. We parse that list (that we get in the form of spreadsheet) to extract the non-governmental sender names only. We put those in a database table that we put extra protections around.

How to update the db table with new protected sender names

[To be determined] we will get an excel spreadsheet, we are not sure how yet. Once we do, the steps are as follows:

  1. Upload it to Google Drive and save it to GOV.UK Notify/Operations Team/Protected Sender IDs.
  2. Then export and download this as a CSV.
  3. There is a script in api. When you run this command using the CSV you saved and the script in question:

cat $CSV_DOWNLOADED_FROM_BT | python process_sender_names.py

You will get a set of inserts.

  1. Check the list to make sure there are no sender names used by government. We want to only extract non-government sender names. If there are government sender names in our resulting list, this would indicate a breaking change between the script and the data.

  2. If you are happy with the list run the Insert in preview, staging in production using write access wrapped in BEGIN and COMMIT commands. It should be idempotent, that is it can be run multiple times with out erroring.

This assumes that the list is always increasing, which might not always be true. It is left as an exercise for the reader to figure out what to do if the list shrinks.

Protections

When a sender id is added to the database, we prevent our services from setting their sender id to it in the validation stage (in the admin app). We also raise a Zendesk ticket as we suspect that there might be malicious activity on their account.