Spit Will Be Worse Than Spam

KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."

#1 question

[khasim]

Can this get to my regular phone or cell phone?

If yes, then this is a problem.

If no, then this is not that big of a problem.

If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.

Re:#1 question

[Hatta]

What if VOIP is your regular phone? Then it is a big problem.

Few people use VOIP as their home phone, and problems like this will keep it that way.

Re:#1 question

[wile_e_wonka]

Vonage, Skype, and MagicJack. There are plenty of people out there who use these as their "regular phone."

Re:#1 question

[tlhIngan]

Can this get to my regular phone or cell phone?

That's called telemarketing. This isn't.

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).

It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).

Re:#1 question

[Hatta]

That's called telemarketing. This isn't.

What's the difference?

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

So the difference is how many people you need to do it? Then it's just a matter of degree, and not a fundamental difference. VOIP spam is only worse than telemarketing because there's more of it.

It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

Funny thing is, I get a lot more paper spam than email spam. From where I stand, paper spam is a worse problem. It certainly kills a lot more trees. And I can't set up a filter for my paper spam.

Re:#1 question

[ArcherB]

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people). What about all those pre-recorded calls I get telling me to vote for Hillary Clinton or whoever?

(Disclaimer: That was not a jibe at Hillary. I actually got a call from a real live person working for the Hillary campaign when my state's primaries were looming. She just started talking, so I actually thought she was a recording. I was joking with my wife about "Hillary Clinton" showing up on the caller ID and said, "I told Hill not to call me at home! I wonder if Bill knows how much she calls me? I guess what's good for the goose..." That's when the lady said, "excuse me?" I then realized she was a real person.)

Re:#1 question

[Frantix]

Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.

Re:#1 question

[SanityInAnarchy]

VOIP spam is only worse than telemarketing because there's more of it. That, and because legislation wouldn't do shit to stop it.

With telemarketing, I can put my self on the national do-not-call registry, and I can tell individual telemarketers to take me off their list. And because there's a real call center, there's almost certainly an actual corporation that I can track down.

With VOIP spam, all the same rules that make normal spam unaffected by legislation still apply. There's enough more of it that I can't just hang up. So there would likely be just as much VOIP spam as email spam -- but you can't really set up a filter on VOIP spam, either, or at least, not a content-based filter.

Re:#1 question

[SanityInAnarchy]

If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night If the spitters pay for the minutes, you won't get 1,981 of them.

Re:#1 question

I can't say I ever saw a commercial for Skype or even heard of MagicJack. As far as Vonage is concerned, I have actually seen their commercial.

The problem with Vonage is that I've also seen their 1/2 infomercial. Trying to sell your product using infomercials completely destroys your credibility in my eyes. I will never trust a product I've seen in an infomercial**. I am sure I am not alone.

And, no, thankfully I was smart enough that I did not have to learn that the hard way.

    **Except for (maybe) the Little Giant Ladder. I've had hands-on and they are actually pretty well built.

Re:#1 question

[brianosaurus]

I've "solved" my junkmail problem by putting a recycling bin by my front door. I let the mail collect by the door for a week, then on trash day I go through the pile, separating the bills and throwing everything else in the recycler without even bothering to open them. Its absurd.

My email still gets spam, but spamassassin and Apple's junkmail filter do a pretty good job of hiding most of it. Hitting "delete" a few times a day is annoying, but tolerable, especially since I don't constantly check email, so I can batch delete the spams that slip through. I don't check for false positives anymore, since about 97% of my email is spam (I get over 1000 spams a day.. its ridiculous), so false positives are rare and too hard to find.

As for the phone, I don't answer my home phone anymore. The last time I did, it was "Jill with a recorded message from ". F That. I keep the phoneline for my alarm system, and to receive faxes. In fact, the fax machine is what answers calls, which has done more to eliminate telemarketing calls than any of the "pay extra to not be annoyed" extortion services offered by Qwest.

If I start getting spam calls on my cell phone, my cellular provider will either fix it or lose my business.

I already filter calls based on the caller ID. If I don't recognize the caller (or I'm not expecting an unknown caller... like when I'm expecting a call from a delivery driver), I don't answer. If its important, they'll probably leave a message and I'll check it later. I don't think I've had more than one or two spam calls on my cell phone for as long as I can remember.

I check my voicemail maybe once a week, but only when I suspect there's an important message. I wish I had the iPhone's "Visual Voicemail", since then I could selectively listen to the important message and delete all the, "Hi. its me. call me back" messages that are redundant with the missed call log. I wish providers would enable that feature for other phones (and I really hope Apple doesn't have some retarded patent on the "technology").

If VoIP spit starts clogging my voicemail, I'll just stop checking it, period. In fact I'll ask my provider to remove voicemail from my account, and if they cannot do it, I'll switch to a carrier that can. I already consider voicemail an inconvenient, inefficient means of communication, so I really wouldn't miss it.

I'm still dumbfounded that spam (and junkmail, and etc) are viable businesses.

Re:#1 question

[Sandbags]

Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.

On to the topic at hand however...

VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.

For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.

A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).

All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...

Re:#1 question

[legirons]

It all sounds so easy when there are only a few calls per day.

When it becomes anything like regular spam, you'd be receiving 20 calls per minute continuously from automated processes (e.g. perhaps from other broadband users running Windows, including your family, colleagues, and business contacts) - then it would take a lot more effort to block everything correctly

Re:#1 question

[Sandbags]

I doubt you'll every see that level of activity. Remember, VoIP calls to a person have to be placed through a central service, and that service does NOT provide free toll charges to businesses the way it does to people.

Folks on Skype, and other non-centralized VoIP (direct IP to IP calling) may be suceptable to this, but since SSkype can't support e-911, it;s not really an issue... IP to Vonage calls, for example, in part run across telco networks, and those incur charges. The SPITers won;t be able to make good on their investment.

Besides, the Teloc netowkrs and VOIP networks would not be able to handle that volume. e-mail gets bogged down due to Spam, but calls either work or not. If this becomes an issue, the FCC will be on it lightning fast and with great ferocity. Each call is a trunk line, not a few packets...

A PC can't really just CALL a Voip line... The softphone, even for the very small percentage of people who use them as opposed to most people on VOIP havoing a hardware device, is a proprietary program, and on the back end is interfacing with an authentication system. Some random virus is not going to be able to interface with Vonage to make calls that way...

Like I said, Skype might be a hackable system, but business voip is all inter-office (VPN tunnels) not open internet calls. Businesses using VOIP use PRI or BRI trunks and traditionsal call networks to place person to person calls (except intra/inter office over secure systems). SPITing on a business extention means placing a call through a terrestrial phone company. Those can be traced, and blocked, if abused.

If SPITing was potentially that successful, I'd be getting 100 calls a day at my home line already.

Also, a Drone infrected PC that was SPITing, how many calls a day do you think it would be making? and how many calls a day (or at a TIME!) is it reasonable for a human to make? It should be easy for phone companies to identify drone VOIP machines and shut them down... Calling habbits for a household are easy to model, and since even a telemarketer working from home has to have a business class phone license, they'll be easy to identify and eliminate false positive screenings. (most home telemarketers run through VPN to a central switch anyway).

This really isn't a big deal. If they ever figure out HOW to make it a big deal, expect strict and sweeping legislation. Attacks on the US phone system are considdered terrorist activity, unlike spam which is just a civil, not even criminal, in most cases offence. Also, VoIP is easy to trace, since it;s clearly a 2 way communication requirement, unlike spam.

DDoS is a possible abuse, but even that should not effect centralized VoIP providers and their customers (100 calls in 3 minutes? block it. Done.)

Re:#1 question

VoIP calls to a person have to be placed through a central service

No, they don't. You have been sucked into a mindset by those who run the central services. You can phone anyone at my house using a SIP address that looks just like an email address. It's just another protocol on the Internet and you don't need to pay a central service to use it.

A PC can't really just CALL a Voip line
Incorrect again. There doesn't need to be a "VoIP Line", it can be more akin to an open port on your home router. One that your PC can call up and play wav spam into if someone answers.

I subscribe to gateways so that I can connect to the PSTN, but I'm never required to route my calls through any particular one. I have to pay to use those gateways for in/outbound PSTN calls, but I make and receive pure Internet-only VoIP calls all the time for free without the use of a central service. Think of it like I'm serving web pages from my house or receiving SMTP messages. That is the future of Internet-based telephony.

Proprietary services like Skype and Vonage are not yet swimming in the bigger waters, despite the fact that they let you connect to the PSTN. Their kind of VoIP is still in the same mode as email was when CompuServe couldn't peer with FidoNet, which couldn't peer with GEnie, etc.

If I ever pay a central service for VoIP, it will likely be just to filter the coming SPIT.

Call Screening

[Orange+Crush]

Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.

Re:Call Screening

[geekoid]

"Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent."
You know that's going to happen.

Re:Call Screening

[wile_e_wonka]

Dad,

Your son at college asking for money is not a "spam bot."

-Jim

Re:Call Screening

[gnuman99]

I just set up Asterisk to answer all my calls. Then it says

  "Hello, thank you for calling Blah & Bo. If you want Blah, press 1. If you want Bo, press 2"

I get about 10-15 calls a day that hang up before even 2 seconds of the automated prompt. And these tend to call the same time each and everyday, until they give up a week or two later.

I get NO telemarketers, EVER, as they don't really have keypads AFAIK. When once was upgrading the Asterisk machine, it was down for 2 hours. I managed to get 2 telemarketers. I just told them to call back in the evening as I had no time. Guess what? Asterisk was up by then and they never got through! :)

Spit?

[truthsearch]

The name leaves a bad taste in my mouth.

(Sorry.)

Re:Spit?

[A+beautiful+mind]

Is that you, Monica?

Re:Spit?

[javaxjb]

No, it's Colonel Angus.

Spam? Spit? What's next?

[oahazmatt]

Spam? Spit? What's next? Spam in Everday Reading Material?

"I'm getting sick of the SPERM in the morning paper."

Re:Spam? Spit? What's next?

[DriedClexler]

How about Spam in Object-Oriented Graphics Engines?

"Parents! Don't let your kids buy GTA V, its graphics include SPOOGE!"
"Okay Mr. Thompson, it's time for your meds."

(Alright, alright, kind of strained)

Re:Spam? Spit? What's next?

[MightyYar]

Spam doesn't mean anything, so why should the term for the VOIP stuff have to be an acronym? We should just pick another nasty, maligned meat product. I vote scrapple.

Re:Spit contains more germs

[geekoid]

Ans SPAN contain enlarged organs! hmm I sense some sort of Soylent green thing going on.

Soylent green: Tastes different from person to person.

Obvious, simple, solution. (Quick! Patent it!)

[ivan256]

Arrange the usage of internet telephony over e-mail, SMS, or IM before initiating or accepting a call.

The intrusive nature of the required synchronicity of telephony is unacceptable anyway. It always has been. Hence the invention of call-screening devices, caller-ID, answering machines/voice mail, etc...

If you weren't expecting the call, don't answer it. Then you won't have to give anybody money for yet another "security" product.

Re:Obvious, simple, solution. (Quick! Patent it!)

[aaarrrgggh]

Works great for individuals, not so well for businesses. You never know when a lead will come in, and you have to be careful how much effort you put a potential customer through.

Re:Obvious, simple, solution. (Quick! Patent it!)

[MikeyTheK]

While this is true, it generally takes us only a second or two to figure out that the person calling is garbage. 1) Call center background 2) Obvious headset use 3) Mispronounce name. 4) Ask who's calling, from where, and the nature of the call. At least for us we're off with the asshats in less than five seconds total.

Old Turing Test

[Thelasko]

Play a Special Information Tone before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.

Re:Old Turing Test

[stdarg]

Back in high school, my friend's sister made a brilliant answering machine message. She made a recording of their normal answering machine message, which then became interrupted as if someone picked up the phone. There was a voice saying "Hello? Hello? Just a second the machine picked up..." while the original message kept playing in the background.

Data is data.

[khasim]

By 'Cell' I mean using Cell for traditional voice, as opposed to using the towers for data.

If you're talking the current (3rd generation) of digital phones, there really isn't a difference between "voice" and "data" as it gets to your cell phone.

Re:Server first

[Nibbler999]

The point is that the contents of the communication cannot be analysed in advance. The system doesn't know what the caller will say until the conversation has started and you have already been disturbed.

How is this different than now?

[faedle]

The rapid increase of telemarketing on land lines generically has spawned a whole host of solutions to this "problem", from the only marginally effective legislative angle (the US Gov'ts "Do Not Call" registry) to the completely effective technical ones like Caller ID Whitelisting services offered by the telephone companies.

Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.

Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.

Anecdote

[Thelasko]

We had a dialer call through our company last year. It was pretty interesting. All of the phones in our company are on the same trunk. You could tell the dialer was just calling every possible number on the trunk in sequence because a wave of rings went through the office (it's normally pretty quiet). Everyone discovered they had a voicemail from "the job hotline" a little while later. The Attorney General eventually caught the guy and shut him down.

Re:Anecdote

[zobier]

Here we've had auto diallers that "prank", i.e. hang up after one ring in an apparent attempt to get you to call back at your expense. That was even funnier with the sequential numbers on our pbx; chirp, chirp, chirp... around the office in quick succession.

Colour of bits in the packet

[DrYak]

there really isn't a difference between "voice" and "data" as it gets to your cell phone. But once it gets to your bill, there's a difference.

Re:Colour of bits in the packet

[speculatrix]

actually, VOIP works very well. and this is despite the lack of proper QoS management in the internet's infrastructure. however, on a large scale, VOIP only really works in a full managed environment where you can keep voice and data traffic on separate networks, so that the low latency/low jitter needs of VOIP - which doesn't need much bandwidth - won't conflict with the uncritical high bandwidth data hog.

Re:Colour of bits in the packet

[StonedRat]

You pay to receive calls?

Re:Colour of bits in the packet

[Soruk]

There are some parts of the world where they think it's a good idea for mobile phone owners to pay to receive calls, rather than have the caller pay for the privilege of reaching someone who is out and about.

Some even charge to receive SMS messages.

Re:Server first

[aaarrrgggh]

For first-time callers, you need a little bit of an IVR front end, ideally some kind of TellMe system. Then you have additional information about a caller before it rings your extension, and if it is really advanced it can determine who the call actually goes to. If the caller is accepted as legitimate, it gets added to the whitelist, if it is rejected (by a human) it goes to the blacklist. Everything else stays greylisted.

So easy to fix

[Sloppy]

Like cryptography, authentication must also be a part of the protocols used in future voice communication. Fortunately, the same tech happens to help with both.

Once you have a solid identity for the caller, they can be looked up somehow, and either be classed as someone you know (i.e. have personally vetted as human) or delegated through a WoT as probably human, or determined to be "nobody."

The reason this is a problem for current VoIP and POTS is merely that those things happen to suck due to legacy interoperability, CALEA, etc.

I really do think those concerns will eventually be left behind. Just like PGP over email, though, there will be social resistance (or inertia, at least). But the very problem being discussed here (phone spam being more annoying than email spam) will make securing voice more attractive to the mainstream, than securing email was.

among their findings:

[circletimessquare]

inventing cutesy acronyms (like "spit") vastly increases awareness in the media and in funding

The paper is stupid

[tkinnun0]

They setup a scenario where every call gives the callee a small payment, then find this weakness in it:

"Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."

Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?

Re:SPIT will rock !!!!

[Zibri]

The cost to send out spam is extremly small. If only, say 0,1%, of the sent mails leads to an order the margin is met. You will not be able to educate those 0,1%. Some always slip through.

It's a Scheme to Sell Spitware to End Users

[mpapet]

As someone that runs a VOIP server, I can speak from limited experience.

1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.

2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.

3. DB queries on call volume should identify the offender within 30 minutes anyway.

The article is an advertisement disguised as news.

Yeah, let's captcha the entire Internet

[British]

Want to view a web page? Count the super-distorted kitties in this sequence of letters, numbers & symbols on the Stargate chevrons.
Want to leave a comment? Decrypt this email address that's worse than slashdot's email address obfuscation system, where you spend more time decrypting it than sending in a message.
Want to create an account? Play this java applet where you have to click on the moving bunny.

Ah, what a utopia. A whole internet that doesn't know if you are a dog, but will quiz you to make sure you are not a robot construct, or some farmer in India.

Re:Call Screening - Whitelist

[scuba_steve_1]

I had a whitelist for my mobile phone starting four years ago...and loved it, but lost it when I "upgraded" my phone a couple of years ago.

The capability was actually built-in to the specific Motorola mobile handset that I was using. The phone had an option to send callers directly to voice mail if they were not in my address book. It would also capture the incoming phone number in my call list. Friends and family got right through. Those whose numbers I did not have left a message...which I then added to the address book just by going to the call list and hitting "save."

The downsides:

- Calls from offices often come in with a semi-random PBX number...so even if I had my wife's or friends' office numbers in my address book, their incoming call would normally get kicked to voice mail. It actually trained them. They stopped calling from those lines and started calling me from their mobile phones.

- I had to remember to turn this feature off if I was expecting a service or delivery person to call me before they dropped by my house...because I didn't have a home phone either.

Small price to pay. That said, the "do not call" list has made my life somewhat easier...but I do miss the whitelist capability at times...and it looks like I might need it again some day according to TFA.

Scuba

It already is a problem

[quetwo]

I run the SIP gateway for a Major university. We run the SIP gateway in such a way for other universities to bypass toll charges when we call each other. It works great -- other universities can call my email address and my desk phone will ring. The problem is that spammer (SPITters?) are now searching for the SIP TXT DNS records and spamming those domains. They setup a VoIP connection to my SIP gateway and try, one-by-one to dial each number in my PBX. 0@uni.edu, 1@uni.edu, 2@uni.edu, until they start getting people. What we have seen is they play a short message (usually about 30 seconds or so) about some "male enhancement" drug or something. They fill up our trunks really quickly. The problem is, unlike real phone calls and paper marketing, there is no cost-for-entry for this type of marketing. People can have a single computer hooked up to the internet make 1,000 of calls an hour. This would normally cost you major money to run this type of call center.

Just, please, no SIP Alert-Info header!

[Bookwyrm]

A major issue for end users will be if they use a SIP client/soft phone that actually pays attention to the (rather moronic) Alert-Info (or Call-Info) header. If anyone gets a SIP client out into the wild that actually implements Alert-Info, every hacker and spammer on the planet will be trying to figure out ways to trick the security on the SIP client into paying attention to their Alert-Info.

From RFC 3261 (Session Initiation Protocol):

20.4 Alert-Info

      When present in an INVITE request, the Alert-Info header field
      specifies an alternative ring tone to the UAS. When present in a 180
      (Ringing) response, the Alert-Info header field specifies an
      alternative ringback tone to the UAC. A typical usage is for a proxy
      to insert this header field to provide a distinctive ring feature.

      The Alert-Info header field can introduce security risks. These
      risks and the ways to handle them are discussed in Section 20.9,
      which discusses the Call-Info header field since the risks are
      identical.

      In addition, a user SHOULD be able to disable this feature
      selectively.

            This helps prevent disruptions that could result from the use of
            this header field by untrusted elements.

      Example:

            Alert-Info: <http://www.example.com/sounds/moo.wav>

iPhone visual voicemail

[SethJohnson]

I wish I had the iPhone's "Visual Voicemail", since then I could selectively listen to the important message and delete all the, "Hi. its me. call me back" messages that are redundant with the missed call log.

That is the killer app on the iPhone. It's the single reason I bought the thing. It has lived up to my expectations, too.

Seth

Known unknowns

[AlpineR]

I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it's from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

That sounds great as long as the VoIP box is being used by a tech savvy person like you. And as long as the emergency call originates from your family member's home and not an unfamiliar cell phone, pay phone, hospital phone, jail phone, friend's phone....

Re:Call Screening - Whitelist

[nfk]

Yeah, and let's make bets while we're at it. Who'll get to the house first, the fire or the firemen?

Solution: Use audio captcha at the handshake level

[bergeron76]

Since this is a real-time negotiation taking place, it will be much easier to include a challenge/response in the "handshake" portion of the connection.

Unlike, email (which gets queued), voice requires an instant connection between endpoints. If you simply used an audio captcha ("Hi, please say my first name after the beep to be connected..."), you can create a hurdle that has to be overcome immediately. Using VOX/IVR technology would easily create an AI nightmare for potential "SPITers". Add a short timeout (like 10 seconds or [with a few retries]) and then dump the dubious caller.

Corporations do it to us all the time when we call customer service "I'm sorry, that's not a valid option. Goodbye".