Slashdot Mirror
Spit Will Be Worse Than Spam
KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."
Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.
Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.
The rapid increase of telemarketing on land lines generically has spawned a whole host of solutions to this "problem", from the only marginally effective legislative angle (the US Gov'ts "Do Not Call" registry) to the completely effective technical ones like Caller ID Whitelisting services offered by the telephone companies.
Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.
Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.
I had a whitelist for my mobile phone starting four years ago...and loved it, but lost it when I "upgraded" my phone a couple of years ago.
The capability was actually built-in to the specific Motorola mobile handset that I was using. The phone had an option to send callers directly to voice mail if they were not in my address book. It would also capture the incoming phone number in my call list. Friends and family got right through. Those whose numbers I did not have left a message...which I then added to the address book just by going to the call list and hitting "save."
The downsides:
- Calls from offices often come in with a semi-random PBX number...so even if I had my wife's or friends' office numbers in my address book, their incoming call would normally get kicked to voice mail. It actually trained them. They stopped calling from those lines and started calling me from their mobile phones.
- I had to remember to turn this feature off if I was expecting a service or delivery person to call me before they dropped by my house...because I didn't have a home phone either.
Small price to pay. That said, the "do not call" list has made my life somewhat easier...but I do miss the whitelist capability at times...and it looks like I might need it again some day according to TFA.
Scuba
While this is true, it generally takes us only a second or two to figure out that the person calling is garbage. 1) Call center background 2) Obvious headset use 3) Mispronounce name. 4) Ask who's calling, from where, and the nature of the call. At least for us we're off with the asshats in less than five seconds total.
Friends help you move. Real friends help you move bodies.
Never forget: 2 + 2 = 5 for extremely large values of 2.
I run the SIP gateway for a Major university. We run the SIP gateway in such a way for other universities to bypass toll charges when we call each other. It works great -- other universities can call my email address and my desk phone will ring. The problem is that spammer (SPITters?) are now searching for the SIP TXT DNS records and spamming those domains. They setup a VoIP connection to my SIP gateway and try, one-by-one to dial each number in my PBX. 0@uni.edu, 1@uni.edu, 2@uni.edu, until they start getting people. What we have seen is they play a short message (usually about 30 seconds or so) about some "male enhancement" drug or something. They fill up our trunks really quickly. The problem is, unlike real phone calls and paper marketing, there is no cost-for-entry for this type of marketing. People can have a single computer hooked up to the internet make 1,000 of calls an hour. This would normally cost you major money to run this type of call center.
There are some parts of the world where they think it's a good idea for mobile phone owners to pay to receive calls, rather than have the caller pay for the privilege of reaching someone who is out and about.
Some even charge to receive SMS messages.
-- Soruk
From RFC 3261 (Session Initiation Protocol): 20.4 Alert-Info
When present in an INVITE request, the Alert-Info header field
specifies an alternative ring tone to the UAS. When present in a 180
(Ringing) response, the Alert-Info header field specifies an
alternative ringback tone to the UAC. A typical usage is for a proxy
to insert this header field to provide a distinctive ring feature.
The Alert-Info header field can introduce security risks. These
risks and the ways to handle them are discussed in Section 20.9,
which discusses the Call-Info header field since the risks are
identical.
In addition, a user SHOULD be able to disable this feature
selectively.
This helps prevent disruptions that could result from the use of
this header field by untrusted elements.
Example:
Alert-Info: <http://www.example.com/sounds/moo.wav>
No, they don't. You have been sucked into a mindset by those who run the central services. You can phone anyone at my house using a SIP address that looks just like an email address. It's just another protocol on the Internet and you don't need to pay a central service to use it.
A PC can't really just CALL a Voip line
Incorrect again. There doesn't need to be a "VoIP Line", it can be more akin to an open port on your home router. One that your PC can call up and play wav spam into if someone answers.
I subscribe to gateways so that I can connect to the PSTN, but I'm never required to route my calls through any particular one. I have to pay to use those gateways for in/outbound PSTN calls, but I make and receive pure Internet-only VoIP calls all the time for free without the use of a central service. Think of it like I'm serving web pages from my house or receiving SMTP messages. That is the future of Internet-based telephony.
Proprietary services like Skype and Vonage are not yet swimming in the bigger waters, despite the fact that they let you connect to the PSTN. Their kind of VoIP is still in the same mode as email was when CompuServe couldn't peer with FidoNet, which couldn't peer with GEnie, etc.
If I ever pay a central service for VoIP, it will likely be just to filter the coming SPIT.