Spit Will Be Worse Than Spam

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Thursday June 12, 2008 @03:05AM from the but-less-fun-to-say dept.

KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."

28 of 248 comments (clear)

#1 question by khasim · 2008-06-12 03:08 · Score: 4, Interesting

Can this get to my regular phone or cell phone?

If yes, then this is a problem.

If no, then this is not that big of a problem.

If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.
1. Re:#1 question by Hatta · 2008-06-12 03:18 · Score: 3, Insightful
  
  What if VOIP is your regular phone? Then it is a big problem.
  
  Few people use VOIP as their home phone, and problems like this will keep it that way.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:#1 question by wile_e_wonka · 2008-06-12 03:42 · Score: 4, Insightful
  
  Vonage, Skype, and MagicJack. There are plenty of people out there who use these as their "regular phone."
3. Re:#1 question by tlhIngan · 2008-06-12 03:45 · Score: 4, Insightful
  
  Can this get to my regular phone or cell phone?
  
  That's called telemarketing. This isn't.
  
  This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
  
  But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).
  
  It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.
  
  About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).
4. Re:#1 question by Hatta · 2008-06-12 04:01 · Score: 4, Interesting
  
  That's called telemarketing. This isn't.
  
  What's the difference?
  
  This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
  
  So the difference is how many people you need to do it? Then it's just a matter of degree, and not a fundamental difference. VOIP spam is only worse than telemarketing because there's more of it.
  
  It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.
  
  Funny thing is, I get a lot more paper spam than email spam. From where I stand, paper spam is a worse problem. It certainly kills a lot more trees. And I can't set up a filter for my paper spam.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:#1 question by ArcherB · 2008-06-12 04:16 · Score: 4, Funny
  
  This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people). What about all those pre-recorded calls I get telling me to vote for Hillary Clinton or whoever?
  
  (Disclaimer: That was not a jibe at Hillary. I actually got a call from a real live person working for the Hillary campaign when my state's primaries were looming. She just started talking, so I actually thought she was a recording. I was joking with my wife about "Hillary Clinton" showing up on the caller ID and said, "I told Hill not to call me at home! I wonder if Bill knows how much she calls me? I guess what's good for the goose..." That's when the lady said, "excuse me?" I then realized she was a real person.)
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
6. Re:#1 question by Frantix · 2008-06-12 04:27 · Score: 5, Insightful
  
  Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.
7. Re:#1 question by SanityInAnarchy · 2008-06-12 04:33 · Score: 4, Insightful
  
  If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night If the spitters pay for the minutes, you won't get 1,981 of them.
  
  --
  Don't thank God, thank a doctor!
8. Re:#1 question by Sandbags · 2008-06-12 05:49 · Score: 5, Insightful
  
  Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.
  
  On to the topic at hand however...
  
  VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.
  
  For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.
  
  A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.
  
  White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
  I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).
  
  All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...
  
  --
  There is no contest in life for which the unprepared have the advantage.
9. Re:#1 question by Sandbags · 2008-06-12 06:57 · Score: 4, Interesting
  
  I doubt you'll every see that level of activity. Remember, VoIP calls to a person have to be placed through a central service, and that service does NOT provide free toll charges to businesses the way it does to people.
  
  Folks on Skype, and other non-centralized VoIP (direct IP to IP calling) may be suceptable to this, but since SSkype can't support e-911, it;s not really an issue... IP to Vonage calls, for example, in part run across telco networks, and those incur charges. The SPITers won;t be able to make good on their investment.
  
  Besides, the Teloc netowkrs and VOIP networks would not be able to handle that volume. e-mail gets bogged down due to Spam, but calls either work or not. If this becomes an issue, the FCC will be on it lightning fast and with great ferocity. Each call is a trunk line, not a few packets...
  
  A PC can't really just CALL a Voip line... The softphone, even for the very small percentage of people who use them as opposed to most people on VOIP havoing a hardware device, is a proprietary program, and on the back end is interfacing with an authentication system. Some random virus is not going to be able to interface with Vonage to make calls that way...
  
  Like I said, Skype might be a hackable system, but business voip is all inter-office (VPN tunnels) not open internet calls. Businesses using VOIP use PRI or BRI trunks and traditionsal call networks to place person to person calls (except intra/inter office over secure systems). SPITing on a business extention means placing a call through a terrestrial phone company. Those can be traced, and blocked, if abused.
  
  If SPITing was potentially that successful, I'd be getting 100 calls a day at my home line already.
  
  Also, a Drone infrected PC that was SPITing, how many calls a day do you think it would be making? and how many calls a day (or at a TIME!) is it reasonable for a human to make? It should be easy for phone companies to identify drone VOIP machines and shut them down... Calling habbits for a household are easy to model, and since even a telemarketer working from home has to have a business class phone license, they'll be easy to identify and eliminate false positive screenings. (most home telemarketers run through VPN to a central switch anyway).
  
  This really isn't a big deal. If they ever figure out HOW to make it a big deal, expect strict and sweeping legislation. Attacks on the US phone system are considdered terrorist activity, unlike spam which is just a civil, not even criminal, in most cases offence. Also, VoIP is easy to trace, since it;s clearly a 2 way communication requirement, unlike spam.
  
  DDoS is a possible abuse, but even that should not effect centralized VoIP providers and their customers (100 calls in 3 minutes? block it. Done.)
  
  --
  There is no contest in life for which the unprepared have the advantage.
10. Re:#1 question by Anonymous Coward · 2008-06-12 09:21 · Score: 4, Informative
  
  VoIP calls to a person have to be placed through a central service
  
  No, they don't. You have been sucked into a mindset by those who run the central services. You can phone anyone at my house using a SIP address that looks just like an email address. It's just another protocol on the Internet and you don't need to pay a central service to use it.
  
  A PC can't really just CALL a Voip line
  Incorrect again. There doesn't need to be a "VoIP Line", it can be more akin to an open port on your home router. One that your PC can call up and play wav spam into if someone answers.
  
  I subscribe to gateways so that I can connect to the PSTN, but I'm never required to route my calls through any particular one. I have to pay to use those gateways for in/outbound PSTN calls, but I make and receive pure Internet-only VoIP calls all the time for free without the use of a central service. Think of it like I'm serving web pages from my house or receiving SMTP messages. That is the future of Internet-based telephony.
  
  Proprietary services like Skype and Vonage are not yet swimming in the bigger waters, despite the fact that they let you connect to the PSTN. Their kind of VoIP is still in the same mode as email was when CompuServe couldn't peer with FidoNet, which couldn't peer with GEnie, etc.
  
  If I ever pay a central service for VoIP, it will likely be just to filter the coming SPIT.
Call Screening by Orange+Crush · 2008-06-12 03:09 · Score: 5, Informative

Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.
1. Re:Call Screening by wile_e_wonka · 2008-06-12 03:55 · Score: 4, Funny
  
  Dad,
  
  Your son at college asking for money is not a "spam bot."
  
  -Jim
2. Re:Call Screening by gnuman99 · 2008-06-12 06:25 · Score: 3, Interesting
  
  I just set up Asterisk to answer all my calls. Then it says
  
  "Hello, thank you for calling Blah & Bo. If you want Blah, press 1. If you want Bo, press 2"
  
  I get about 10-15 calls a day that hang up before even 2 seconds of the automated prompt. And these tend to call the same time each and everyday, until they give up a week or two later.
  
  I get NO telemarketers, EVER, as they don't really have keypads AFAIK. When once was upgrading the Asterisk machine, it was down for 2 hours. I managed to get 2 telemarketers. I just told them to call back in the evening as I had no time. Guess what? Asterisk was up by then and they never got through! :)
Spit? by truthsearch · 2008-06-12 03:10 · Score: 4, Funny

The name leaves a bad taste in my mouth.

(Sorry.)

--
Developers: We can use your help.
Spam? Spit? What's next? by oahazmatt · 2008-06-12 03:11 · Score: 5, Funny

Spam? Spit? What's next? Spam in Everday Reading Material?

"I'm getting sick of the SPERM in the morning paper."

--
Those who believe the Internet is private,
find their privates are on the Internet.
1. Re:Spam? Spit? What's next? by DriedClexler · 2008-06-12 03:17 · Score: 4, Funny
  
  How about Spam in Object-Oriented Graphics Engines?
  
  "Parents! Don't let your kids buy GTA V, its graphics include SPOOGE!"
  "Okay Mr. Thompson, it's time for your meds."
  
  (Alright, alright, kind of strained)
  
  --
  Information theory is life. The rest is just the KL divergence.
Old Turing Test by Thelasko · 2008-06-12 03:18 · Score: 5, Interesting

Play a Special Information Tone before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Data is data. by khasim · 2008-06-12 03:24 · Score: 4, Insightful

By 'Cell' I mean using Cell for traditional voice, as opposed to using the towers for data.
If you're talking the current (3rd generation) of digital phones, there really isn't a difference between "voice" and "data" as it gets to your cell phone.
Re:Server first by Nibbler999 · 2008-06-12 03:27 · Score: 4, Insightful

The point is that the contents of the communication cannot be analysed in advance. The system doesn't know what the caller will say until the conversation has started and you have already been disturbed.
How is this different than now? by faedle · 2008-06-12 03:29 · Score: 4, Informative

The rapid increase of telemarketing on land lines generically has spawned a whole host of solutions to this "problem", from the only marginally effective legislative angle (the US Gov'ts "Do Not Call" registry) to the completely effective technical ones like Caller ID Whitelisting services offered by the telephone companies.

Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.

Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.
Anecdote by Thelasko · 2008-06-12 03:35 · Score: 4, Interesting

We had a dialer call through our company last year. It was pretty interesting. All of the phones in our company are on the same trunk. You could tell the dialer was just calling every possible number on the trunk in sequence because a wave of rings went through the office (it's normally pretty quiet). Everyone discovered they had a voicemail from "the job hotline" a little while later. The Attorney General eventually caught the guy and shut him down.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Colour of bits in the packet by DrYak · 2008-06-12 03:41 · Score: 5, Insightful

there really isn't a difference between "voice" and "data" as it gets to your cell phone. But once it gets to your bill, there's a difference.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Colour of bits in the packet by speculatrix · 2008-06-12 05:16 · Score: 3, Insightful
  
  actually, VOIP works very well. and this is despite the lack of proper QoS management in the internet's infrastructure. however, on a large scale, VOIP only really works in a full managed environment where you can keep voice and data traffic on separate networks, so that the low latency/low jitter needs of VOIP - which doesn't need much bandwidth - won't conflict with the uncritical high bandwidth data hog.
2. Re:Colour of bits in the packet by Soruk · 2008-06-12 06:22 · Score: 4, Informative
  
  There are some parts of the world where they think it's a good idea for mobile phone owners to pay to receive calls, rather than have the caller pay for the privilege of reaching someone who is out and about.
  
  Some even charge to receive SMS messages.
  
  --
  -- Soruk
The paper is stupid by tkinnun0 · 2008-06-12 03:58 · Score: 5, Insightful

They setup a scenario where every call gives the callee a small payment, then find this weakness in it:

"Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."

Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?
It's a Scheme to Sell Spitware to End Users by mpapet · 2008-06-12 04:18 · Score: 4, Interesting

As someone that runs a VOIP server, I can speak from limited experience.

1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.

2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.

3. DB queries on call volume should identify the offender within 30 minutes anyway.

The article is an advertisement disguised as news.

--
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Yeah, let's captcha the entire Internet by British · 2008-06-12 04:21 · Score: 3, Funny

Want to view a web page? Count the super-distorted kitties in this sequence of letters, numbers & symbols on the Stargate chevrons.
Want to leave a comment? Decrypt this email address that's worse than slashdot's email address obfuscation system, where you spend more time decrypting it than sending in a message.
Want to create an account? Play this java applet where you have to click on the moving bunny.

Ah, what a utopia. A whole internet that doesn't know if you are a dog, but will quiz you to make sure you are not a robot construct, or some farmer in India.