Net Phone Customers Brace For 'VoIP Spam'

XaviorPenguin writes "If you think that Spam in your e-mail inbox is bad, wait until VoIP gets huge! According to a News.CNet.com story, your voice mail box on your Net Phones may be cluttered with ads for Viagra. '"The fear with VoIP spam is you will have an Internet address for your phone number, which means you can use the same tools you use for e-mail to generate traffic," said Tom Kershaw, a vice president at security specialist VeriSign. "That raises automation to scary degrees."' If you think that is scary, you know the Do-Not-Call list that is out by the FTC, yeah, um, people with Net Phones may not be affected by this list and spammers/telemarketers may take this advantage for themselves. "

Not a single sales call.

[johankohler]

Well so far Vonage is great.

Ive been a subscriber for 3 years and have not recived a single sales call.

I belive I have recived about 10 calls that got the wrong number.

Re:Not a single sales call.

I've been using Packet8 (packet8.net) and have been very happy too. Tried Vonage as well, but it cost me $10 more for the same QOS, so I gave up on vonage. Another reason I switched to Packet8 is that if you want to change your number, just let Packet8 know and they will do it for free, unlike Vonage which charges for every little thing.

Odd....

[Laivincolmo]

I'm not sure if I'm an exception to the case, but I never get any spam. If I get a voip address, I'll just use the same methods I do now. Create a dummy account for signups, be careful how I post my address on the internet, etc.

Back door...

[LostCluster]

Here's the wide open hole in VoIP phone service:

Every VoIP phone that has a real-world phone number also has an SIP address that can be used to send calls to it as well... If those addresses get captured and traded around like e-mail addresses, then all a tele-spammer would need is the bandwidth and they're all set to call you with a spam-like ad.

And the Do Not Call Registry law doesn't even apply because it registers phone numbers, not SIP addresses. So that and any other telephone-based law isn't going to work here.

Re:Back door...

[Tmack]

OK, I know virtually nothing about VoIP, but I'm betting I'm right here... wouldn't that also block legitimate calls from others using VoIP phones?

No, because while they all use VoIP, they themselves are not (yet) interconnected. Even if they were, the only call switch that your phone should talk to is the one hosted by your provider, since it is the determining factor as to where calls go, and all voice packets are routed through their network anyways.

The individual providers still need a way to interconnect to all other providers, and currently the only way to do that is via POPs (points of presence) and SS7 trunks to the POTs network. Generally once traffic is determined to not be on the CLEC's local network, its passed out to whoever they connect to to handle outbound routing, be it VoIP or not. I doubt any serious LEC would use the internet as a major interconnect with another provider. The security risk alone is too much of a risk.

Also note that not all providers currently use the same protocol (as has been mentioned in other posts), so even if someone spoofed a call from your provider, they would have to know how to talk to your phone, be it MGCP or SIP or something else.

Just because your phone "has an world reachable IP address" doesnt mean it is wide open to attacks. I think the most serious issue to be dealt with will be DOS attacks, since most IVoIP (internet VoIP, ala Vonage.. as opposed to internal VoIP on private networks) cannot control their QOS between customer and callswitch.

tm

Re:sigh...

[LostCluster]

It's a difference in business models. Most phone telemarketers were operating legal businesses, so when laws made it imposible for them to operate they simply went out of business.

Meanwhile, spammers are usually already immoral people who have no respect for the law anyway. Viagra, afterall, is illegal to sell without a proper perscription, and a contact via web form is simply not good enough to generate such a perscription. So, their offer is already illegal to begin with... another law on top of that making the communication illegal isn't going to affect them much.

Re:Pay by the minute? EEK!

[dejamatt]

Some of the companies, foolishly, make you listen to an entire voicemail message before deleting it (in the cell phone world Cingular does this too)

FYI: On my Cingular phone, 7 is the erase button after a message, but if you push 7-7 during a message it will stop playback and erase it. Don't know if it works on all phones/plans or just mine.

Re:Sounds like security specialists spreading FUD

[pavera]

This is most certainly FUD.
having the IP address of a VoIP phone is not enough to send them a voicemail. You have to know (at least on any decently secure system) a phone number, and an IP address. And, to leave a message you have to have an open communication channel with the messaging server, not the phone (again on any decently secure system).

I manage VoIP for a 9000 node network. Only the messaging server can leave a voicemail in a persons voicemail box, and to leave a message on the system you have to open a connection to the server (over sip, or from the pstn) at any rate, if it was incoming spam to my organization it would have to come over the pstn (we are voip internally, to all of our branches, but pstn everywhere else). Thus, spam would have to be initiated from the PSTN, and would be limited to a total of about 200 simultaneous calls (we have about 10 PRIs for connections to the outside world, we run about 60% usage on those PRIs).

Thus realistically a telemarketer could only leave about 80 messages simultaneously before starting to get the no circuits available error from our provider, and it would tie up 80 of their phone lines for the 30 seconds it would take to leave the message, and they would have to pay long distance etc for those calls. Now, inside our organization, you can send a voicemail to everyone at once, but it is very restricted (IE, you can only do this from 3 accounts, and to make a call from one of these 3 accounts you have to know the pin numbers to allow the call through).

In our setup, I can't think of a single way to really automate sending everyone a voicemail, besides hacking one of those 3 accounts, or calling all 9000 people... granted you could have a voice recorder call the numbers, and leave messages, but telemarketers already do that, and with VoIP it would be no different. You can't just email the voicemail to the accounts, as the voicemail system only recognizes voicemail that it has put in the email accounts (it keeps a database of unique IDs that it puts in the email and only reads the emails it generated).

Furthermore, emailing 9000 copies of a 300KB message, would require alot more bandwidth than sending 9000 4KB html viagra ads. Why would a telemarketer do it? Or a spammer? Bandwidth is cheap, but it still costs something. Sure, they can use their zombie nets, and then its not their bandwidth, but, if they are sending multi-megabyte chunks of mail, alot more people will notice that they are infected if their net connections noticably slow down.

Re:do not call list

[Eivind]

You're rigth. Adding one more type of address to the list is stupid and futile, there'll always be new types of adresses.

The correct solution (or atleast the better one!) is law similar to the Norwegian one;

It is illegal for marketing purposes to adress communications to individually adressable telecommunications-units except when either the user has given prior, informed consent, or the user is a current customer of yours.

Applies to spam SMS, Fax, Email, voicemail, telephone etc.

The logic behind allowing companies you're a customer of to spam you is that sometimes stuff changes in an offer that is good to inform customers of, and as a customer you've always got the option of saying: "Call me again and I'm an ex-customer" anyway.