Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Spam

Spit Will Be Worse Than Spam 248

KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."
This discussion has been archived. No new comments can be posted.

Spit Will Be Worse Than Spam

Comments Filter:
  • #1 question (Score:5, Interesting)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday June 12, 2008 @10:08AM (#23764325)
    Can this get to my regular phone or cell phone?

    If yes, then this is a problem.

    If no, then this is not that big of a problem.

    If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.
    • by geekoid ( 135745 )
      It will be a big problem. VOIP makes a lot more sense then Cell.

      By 'Cell' I mean using Cell for traditional voice, as opposed to using the towers for data.

    • Re:#1 question (Score:4, Insightful)

      by Hatta ( 162192 ) on Thursday June 12, 2008 @10:18AM (#23764495) Journal
      What if VOIP is your regular phone? Then it is a big problem.

      Few people use VOIP as their home phone, and problems like this will keep it that way.
      • Re:#1 question (Score:5, Insightful)

        by Frantix ( 1043000 ) on Thursday June 12, 2008 @11:27AM (#23765655) Homepage
        Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.
      • Re:#1 question (Score:5, Insightful)

        by Sandbags ( 964742 ) on Thursday June 12, 2008 @12:49PM (#23767243) Journal
        Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.

        On to the topic at hand however...

        VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.

        For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.

        A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

        White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
        I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).

        All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...
        • Re: (Score:3, Insightful)

          by legirons ( 809082 )
          It all sounds so easy when there are only a few calls per day.

          When it becomes anything like regular spam, you'd be receiving 20 calls per minute continuously from automated processes (e.g. perhaps from other broadband users running Windows, including your family, colleagues, and business contacts) - then it would take a lot more effort to block everything correctly
          • Re:#1 question (Score:5, Interesting)

            by Sandbags ( 964742 ) on Thursday June 12, 2008 @01:57PM (#23768371) Journal
            I doubt you'll every see that level of activity. Remember, VoIP calls to a person have to be placed through a central service, and that service does NOT provide free toll charges to businesses the way it does to people.

            Folks on Skype, and other non-centralized VoIP (direct IP to IP calling) may be suceptable to this, but since SSkype can't support e-911, it;s not really an issue... IP to Vonage calls, for example, in part run across telco networks, and those incur charges. The SPITers won;t be able to make good on their investment.

            Besides, the Teloc netowkrs and VOIP networks would not be able to handle that volume. e-mail gets bogged down due to Spam, but calls either work or not. If this becomes an issue, the FCC will be on it lightning fast and with great ferocity. Each call is a trunk line, not a few packets...

            A PC can't really just CALL a Voip line... The softphone, even for the very small percentage of people who use them as opposed to most people on VOIP havoing a hardware device, is a proprietary program, and on the back end is interfacing with an authentication system. Some random virus is not going to be able to interface with Vonage to make calls that way...

            Like I said, Skype might be a hackable system, but business voip is all inter-office (VPN tunnels) not open internet calls. Businesses using VOIP use PRI or BRI trunks and traditionsal call networks to place person to person calls (except intra/inter office over secure systems). SPITing on a business extention means placing a call through a terrestrial phone company. Those can be traced, and blocked, if abused.

            If SPITing was potentially that successful, I'd be getting 100 calls a day at my home line already.

            Also, a Drone infrected PC that was SPITing, how many calls a day do you think it would be making? and how many calls a day (or at a TIME!) is it reasonable for a human to make? It should be easy for phone companies to identify drone VOIP machines and shut them down... Calling habbits for a household are easy to model, and since even a telemarketer working from home has to have a business class phone license, they'll be easy to identify and eliminate false positive screenings. (most home telemarketers run through VPN to a central switch anyway).

            This really isn't a big deal. If they ever figure out HOW to make it a big deal, expect strict and sweeping legislation. Attacks on the US phone system are considdered terrorist activity, unlike spam which is just a civil, not even criminal, in most cases offence. Also, VoIP is easy to trace, since it;s clearly a 2 way communication requirement, unlike spam.

            DDoS is a possible abuse, but even that should not effect centralized VoIP providers and their customers (100 calls in 3 minutes? block it. Done.)
            • Re:#1 question (Score:4, Informative)

              by Anonymous Coward on Thursday June 12, 2008 @04:21PM (#23770603)
              VoIP calls to a person have to be placed through a central service

              No, they don't. You have been sucked into a mindset by those who run the central services. You can phone anyone at my house using a SIP address that looks just like an email address. It's just another protocol on the Internet and you don't need to pay a central service to use it.


              A PC can't really just CALL a Voip line
              Incorrect again. There doesn't need to be a "VoIP Line", it can be more akin to an open port on your home router. One that your PC can call up and play wav spam into if someone answers.


              I subscribe to gateways so that I can connect to the PSTN, but I'm never required to route my calls through any particular one. I have to pay to use those gateways for in/outbound PSTN calls, but I make and receive pure Internet-only VoIP calls all the time for free without the use of a central service. Think of it like I'm serving web pages from my house or receiving SMTP messages. That is the future of Internet-based telephony.


              Proprietary services like Skype and Vonage are not yet swimming in the bigger waters, despite the fact that they let you connect to the PSTN. Their kind of VoIP is still in the same mode as email was when CompuServe couldn't peer with FidoNet, which couldn't peer with GEnie, etc.


              If I ever pay a central service for VoIP, it will likely be just to filter the coming SPIT.

        • Known unknowns (Score:3, Insightful)

          by AlpineR ( 32307 )

          I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it's from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

          That sounds great as long as the VoIP box is being used by a tech savvy person like you. And as long as the emergency call originates from your family member's home and not an unfamiliar cell phone, pay phone, hospital phone, jail phone, friend's phone....

    • Re:#1 question (Score:5, Insightful)

      by wile_e_wonka ( 934864 ) on Thursday June 12, 2008 @10:42AM (#23764891)
      Vonage, Skype, and MagicJack. There are plenty of people out there who use these as their "regular phone."
      • Re: (Score:2, Interesting)

        by Anonymous Coward
        I can't say I ever saw a commercial for Skype or even heard of MagicJack. As far as Vonage is concerned, I have actually seen their commercial.

        The problem with Vonage is that I've also seen their 1/2 infomercial. Trying to sell your product using infomercials completely destroys your credibility in my eyes. I will never trust a product I've seen in an infomercial**. I am sure I am not alone.

        And, no, thankfully I was smart enough that I did not have to learn that the hard way.

        **Except for
        • That's actually kind of a strange philosophy you have there.

          Just making sure I understand you, the only thing you have ever bought that had an infomercial you like, but you don't believe that anything else you have ever seen on an infomercial would be acceptable.

          Now, I'm not saying that most of the stuff on infomercials isn't crap, but if you know of one exception, what makes you think that there aren't any more?
    • Re:#1 question (Score:5, Insightful)

      by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Thursday June 12, 2008 @10:45AM (#23764951)

      Can this get to my regular phone or cell phone?


      That's called telemarketing. This isn't.

      This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

      But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).

      It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

      About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).
      • Re:#1 question (Score:5, Interesting)

        by Hatta ( 162192 ) on Thursday June 12, 2008 @11:01AM (#23765227) Journal
        That's called telemarketing. This isn't.

        What's the difference?

        This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

        So the difference is how many people you need to do it? Then it's just a matter of degree, and not a fundamental difference. VOIP spam is only worse than telemarketing because there's more of it.

        It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

        Funny thing is, I get a lot more paper spam than email spam. From where I stand, paper spam is a worse problem. It certainly kills a lot more trees. And I can't set up a filter for my paper spam.
        • VOIP spam is only worse than telemarketing because there's more of it.

          That, and because legislation wouldn't do shit to stop it.

          With telemarketing, I can put my self on the national do-not-call registry, and I can tell individual telemarketers to take me off their list. And because there's a real call center, there's almost certainly an actual corporation that I can track down.

          With VOIP spam, all the same rules that make normal spam unaffected by legislation still apply. There's enough more of it that I can't just hang up. So there would likely be just as much VOIP spam as e

        • The difference is that it's free to send the calls, not that it can be pre-recorded. Another difference is that it can be done tracelessly through bot networks.

          It's already illegal in most jurisdictions (in the US) to telemarket with pre-recorded messages. This has teeth with a regular phone call because the phone company is pretty careful about being able to bill people that use its network, and if you can bill them, you can track them down.

          And... regular (illegal) pre-recorded telephone spam still cos

      • by ArcherB ( 796902 ) on Thursday June 12, 2008 @11:16AM (#23765493) Journal

        This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
        What about all those pre-recorded calls I get telling me to vote for Hillary Clinton or whoever?

        (Disclaimer: That was not a jibe at Hillary. I actually got a call from a real live person working for the Hillary campaign when my state's primaries were looming. She just started talking, so I actually thought she was a recording. I was joking with my wife about "Hillary Clinton" showing up on the caller ID and said, "I told Hill not to call me at home! I wonder if Bill knows how much she calls me? I guess what's good for the goose..." That's when the lady said, "excuse me?" I then realized she was a real person.)
      • The only real fight against it is to educate everyone about it. The only reason spam is so successful is because grandma still clicks on the ads. So with a recorded message hopefully it will be easier for grandma to just hear the message and hang up. No need to reply or show the spitter that there is interest and hopefully the people paying the spitters will see that it's a waste of money. *crosses fingers*
        • Totally. I'm still amazed when my parents tell me how many emails they get in their "junk mail" box and that they actually spend time looking through them to delete them. No matter how many times I tell them to just let it go, they keep looking.

          On the flip side, I've looked in my junkmail box a few times, usually when I add some new anti-spam rule and want to make sure its not overreaching, or when my mom says my aunt emailed me and I never replied. Turns out her message was a false positive, got filed in
      • Re: (Score:3, Interesting)

        by brianosaurus ( 48471 )
        I've "solved" my junkmail problem by putting a recycling bin by my front door. I let the mail collect by the door for a week, then on trash day I go through the pile, separating the bills and throwing everything else in the recycler without even bothering to open them. Its absurd.

        My email still gets spam, but spamassassin and Apple's junkmail filter do a pretty good job of hiding most of it. Hitting "delete" a few times a day is annoying, but tolerable, especially since I don't constantly check email, so
    • by AMuse ( 121806 )
      If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.

      If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night - about one every 45 seconds (math in head not exact). Do you think you would use a cell phone if it got telemarketed to once every 45 seconds, or just turn it off? And if you just turn it off, how does your family/friend/etc get ahold of you?
      • Re:#1 question (Score:5, Insightful)

        by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Thursday June 12, 2008 @11:33AM (#23765779) Journal

        If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night
        If the spitters pay for the minutes, you won't get 1,981 of them.
        • by AMuse ( 121806 )
          Good point! I do not know where my brain is today...
        • by Intron ( 870560 )
          Why not? Do you think that people who hack other people's computers to send spam would not be willing to hack other people's phone IDs and use their minutes?
      • It's simple economics. Let's assume sending one spam e-mail costs .02 cents to a spammer. A sale of the advertised product brings in $8 while (I'll go with the unlikely case of the spammer actually shipping) costing only $1. Additionally, re-sale of the CC number and personal data bring in another $3.
        To make ends meet, the spammer would have to make one sale for every batch of 50,000 messages.
        Now using up his airtime/minutes, OTOH, a call may very well cost him $.02, (contrary to what Verizon [verizonmath.com] thinks) a hu
        • (I completely forgot one factor: The U.S.' um.. "interesting" system of free calls.)
          Unlike the local short-distance POTS (on which you tend to get harassed by robodialers as well as Hillary C.), your cell operator charges the operator of whomever's calling you a few (fractions of) cents per minute, so cells are very likely to be spared.
    • I think it can... I've been getting spammed by spanish-speaking callers selling Mexican phone cards. The caller ID reads 000-000-0000
  • Call Screening (Score:5, Informative)

    by Orange Crush ( 934731 ) * on Thursday June 12, 2008 @10:09AM (#23764345)

    Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

    Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.

    • Re: (Score:3, Informative)

      by geekoid ( 135745 )
      "Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent."
      You know that's going to happen.

      • If that starts happening, cellular providers/voicemail providers can simply let you vote to have that number blocked. If they get a trigger value of no votes, it gets blocked network wide. Feedback would be quick, number would be blocked, so when they move to the next number to call from, it too will get blocked.

        Groupsourcing the identification of spitters would be easy enough, or so it would seem.

        Ideas anyone?
        • That always requires the spammer to use a true caller ID. There's enough spoofing software out there, and since it's incoming VOIP there's no way to verify the sender like you'd have with an old fashioned incoming phone call via a fixed line.
          I realize I have to find a way to "skip" messages in my voice inbox, right now my service only lets me delete stuff AFTER I fully listened to it. Highly annoying.
          • There's enough spoofing software out there, and since it's incoming VOIP there's no way to verify the sender like you'd have with an old fashioned incoming phone call via a fixed line.

            Well, my POTS Caller ID often times either comes up as Blocked Call or something weird, and I simply don't answer those calls. While it may be trivial for them to spoof a phone number, it is not trivial to find a number that I will trust (say, a friend or relative). That does somewhat limit the threat.

            Still, it doesn't m

          • there's no way to verify the sender like you'd have with an old fashioned incoming phone call via a fixed line.
            It would be possible to use public key cryptography, with certificates issued and maintained by the carriers through trusted roots, and digital signatures to make spoofing impossible or at least highly impractical.
        • If that starts happening, cellular providers/voicemail providers can simply let you vote to have that number blocked.
          Works for POTS. Won't work at all for real VOIP -- that "number" would be an IP address, one of thousands in a botnet.
      • by ceoyoyo ( 59147 )
        It already does. Congratulations! You've won an all expense paid cruise in the Caribbean! Press one to accept!

        My stupid bank called my cell to off me some identity theft protection. I hung up on them. Then they called back the next day and had the nerve to say I'd asked them to.

        Telemarketers aren't a VOIP problem, they're a problem, period.

        Having said that, I'm going to write a VOIP application that only allows you to complete a call if you transfer five cents to the receiver.
    • by Hatta ( 162192 )
      I already get spam bots leaving messages on my POTS answering machine.
    • by us7892 ( 655683 )
      My current VOIP settings allow me to filter by number, and dump callers to busy signal, msg, blocked message, etc. I have about 20 numbers in my list right now. And I add a new number about once a month. Not too bad.

    • Indeed I'm already using a rather aggressive stance : I reject calls with no caller ID, I don't have any voicemail, I take names and complain for every single spammy call (which are actually very rare - maybe one every two months). But ultimately, whitelisting will be unavoidable and other callers will get screened. Collaborative blacklisting will also be needed - the email experience will help set up systems for that.
      • Caller ID is spoofed as easily as a MAC address.
        Taking names and complaining about this Spit will work just as well as it does for spam. Not. Remember, it's happening on the internet, not POTS.
        Collaborative blacklisting will be as difficult as it is for email since most Spitters will be zombies in large botnets.
        • Whitelists would work for VoIP for the same reasons and with the same effectiveness as email-from whitelists -- faking the source address only help if you know which address(es) are accepted in the first place. I may be predictable, but I'm not predictable enough for a spam robot to guess the email address and phone numbers of my friends.
    • by garcia ( 6573 )
      Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.

      You mean like Justice A Clothing Store for Girls [lazylightning.org] already does? They aren't alone however, most of the time I have a message from some carpet cleaner or other douchebag company that leaves no contact information except a reminder to get my fucking carpets cleaned.

      I am seriously considering unplugging the fucking answering machine now too.
    • If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

      You're lucky that you've never encountered a voice spam that waits for the initial greeting, and then plays back a pre-recorded message. Sometimes if you answer the phone without saying anything, it will just be silent, but most people answer the phone with "hello."

    • I stopped using voicemail long time ago, simply because people are too stupid to use it effectively.

      • After a meeting or something I would have 10 empty messages in my voicemail. Since I had no way to know they were empty I had to listen to and delete every single one of them.
      • Everytime I left a message in someone's voicemail the person would either not listen to it or, even worse, listen and ignore. This, even for important/urgent matters.
      • You should set your voicemail server to delete messages less than say, 3 seconds in duration, and to print the duration of other messages in the text section of the associated message, so you know what to expect before listening.
    • Re:Call Screening (Score:4, Interesting)

      by gnuman99 ( 746007 ) on Thursday June 12, 2008 @01:25PM (#23767871)
      I just set up Asterisk to answer all my calls. Then it says

        "Hello, thank you for calling Blah & Bo. If you want Blah, press 1. If you want Bo, press 2"

      I get about 10-15 calls a day that hang up before even 2 seconds of the automated prompt. And these tend to call the same time each and everyday, until they give up a week or two later.

      I get NO telemarketers, EVER, as they don't really have keypads AFAIK. When once was upgrading the Asterisk machine, it was down for 2 hours. I managed to get 2 telemarketers. I just told them to call back in the evening as I had no time. Guess what? Asterisk was up by then and they never got through! :)
  • Squirt to spit...
  • Spit? (Score:5, Funny)

    by truthsearch ( 249536 ) on Thursday June 12, 2008 @10:10AM (#23764355) Homepage Journal
    The name leaves a bad taste in my mouth.

    (Sorry.)
  • by oahazmatt ( 868057 ) on Thursday June 12, 2008 @10:11AM (#23764369) Journal
    Spam? Spit? What's next? Spam in Everday Reading Material?

    "I'm getting sick of the SPERM in the morning paper."
    • by DriedClexler ( 814907 ) on Thursday June 12, 2008 @10:17AM (#23764481)
      How about Spam in Object-Oriented Graphics Engines?

      "Parents! Don't let your kids buy GTA V, its graphics include SPOOGE!"
      "Okay Mr. Thompson, it's time for your meds."

      (Alright, alright, kind of strained)
    • Re: (Score:3, Insightful)

      by MightyYar ( 622222 )
      Spam doesn't mean anything, so why should the term for the VOIP stuff have to be an acronym? We should just pick another nasty, maligned meat product. I vote scrapple [wikipedia.org].
      • I vote for Klik [mapleleaf.com]. As a bonus, it's an onomatopoeia for the sound of hanging up the phone.
    • Spam? Spit? What's next? Spam in Everday Reading Material?

      "I'm getting sick of the SPERM in the morning paper."
      Spam it all to hell!
  • by ivan256 ( 17499 ) on Thursday June 12, 2008 @10:14AM (#23764429)
    Arrange the usage of internet telephony over e-mail, SMS, or IM before initiating or accepting a call.

    The intrusive nature of the required synchronicity of telephony is unacceptable anyway. It always has been. Hence the invention of call-screening devices, caller-ID, answering machines/voice mail, etc...

    If you weren't expecting the call, don't answer it. Then you won't have to give anybody money for yet another "security" product.
    • Re: (Score:3, Insightful)

      by aaarrrgggh ( 9205 )
      Works great for individuals, not so well for businesses. You never know when a lead will come in, and you have to be careful how much effort you put a potential customer through.
      • Re: (Score:3, Informative)

        by MikeyTheK ( 873329 )
        While this is true, it generally takes us only a second or two to figure out that the person calling is garbage. 1) Call center background 2) Obvious headset use 3) Mispronounce name. 4) Ask who's calling, from where, and the nature of the call. At least for us we're off with the asshats in less than five seconds total.
      • by ivan256 ( 17499 )
        Honestly, if you're that worried an extra step will scare off a lead, you should deal with the spam calls. This problem is only interesting the other way around. (Businesses spamming individuals)
    • by Rary ( 566291 )

      Arrange the usage of internet telephony over e-mail, SMS, or IM before initiating or accepting a call. ... If you weren't expecting the call, don't answer it.

      That's not so good when an old friend I'd lost contact with passes through town and decides to look me up in the phone book. Or when my girlfriend is traveling through Europe and calls from assorted hostels whenever she gets the opportunity. Or when a relative calls from the hospital pay phone to tell me to get down there right away to say goodbye to Grandma, who probably won't live through the night.

      I don't want unexpected calls from spammers/spitters/telemarketers/whatever, but I absolutely want unexpe

  • Old Turing Test (Score:5, Interesting)

    by Thelasko ( 1196535 ) on Thursday June 12, 2008 @10:18AM (#23764493) Journal
    Play a Special Information Tone [wikipedia.org] before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.
    • VoIP isn't synchronous like autodialers so they don't have much to lose by ignoring those tones.
  • by faedle ( 114018 ) on Thursday June 12, 2008 @10:29AM (#23764691) Homepage Journal
    The rapid increase of telemarketing on land lines generically has spawned a whole host of solutions to this "problem", from the only marginally effective legislative angle (the US Gov'ts "Do Not Call" registry) to the completely effective technical ones like Caller ID Whitelisting services offered by the telephone companies.

    Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.

    Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.
    • While I agree that telemarketing has come to be quite annoying (I am in Canada), there is one big difference here: telemarketing is pretty much only free if you are calling from the same area code. That puts a fairly natural cap on the amount of telemarketing: once a marketing call costs even just a few cents, it mostly isn't going to be worth it, since the hit rate is just too low. Countries where you have to pay for local phone calls do not tend to have telemarketing at all.

      Contrast this with SPIT, where
  • It's called headhunters.

    Will deal with it in much the same way; known bad callers go directly to the honeypot, known good callers go through. Unknown callers will need some kind of probabilistic assessment as to how much IVR and call screening you put them through.
  • Anecdote (Score:5, Interesting)

    by Thelasko ( 1196535 ) on Thursday June 12, 2008 @10:35AM (#23764781) Journal
    We had a dialer call through our company last year. It was pretty interesting. All of the phones in our company are on the same trunk. You could tell the dialer was just calling every possible number on the trunk in sequence because a wave of rings went through the office (it's normally pretty quiet). Everyone discovered they had a voicemail from "the job hotline" a little while later. The Attorney General eventually caught the guy and shut him down.
    • Re: (Score:3, Interesting)

      by zobier ( 585066 )
      Here we've had auto diallers that "prank", i.e. hang up after one ring in an apparent attempt to get you to call back at your expense. That was even funnier with the sequential numbers on our pbx; chirp, chirp, chirp... around the office in quick succession.
  • So what happened to the do not call list? It has worked wonders the last few years eliminating virtually all telemarketers from calling any of my phones.
    • The do-not-call list works because the POTS network has limited points of entry - the telcos know who is calling (or at least where they're calling from), and the callers have to pay phone charges as well. If someone is found to be violating the do-not-call list, the FCC can easily track down and fine/prosecute them.

      With VOIP, the network is open. For the most part, this is good - we have the potential to completely do away with phone charges - but, like email, there's no way to identify the source of a cal
      • It only works for folks who choose to comply. Folks that ignore the list and spoof their caller id can't be dealt with. In my case there was also a telemarketer who was calling because I was on a list from my mortgage company. I repeatedly told them to put me on their do not call list, reported them to the Do Not Call website, and called the mortgage company to complain. It still took 14 months to get them to stop.
  • This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony which is why radically different strategies are needed

    Or, you can just treat your phone as a verbal "inbox", and never actually answer it in person. Back before the Do Not Call registry, I know quite a few people who took that approach (myself included, to some degree).

    Telemarketers will almost never actually leave a message, and the few who do, you can instantly detect and d
  • So easy to fix (Score:3, Interesting)

    by Sloppy ( 14984 ) on Thursday June 12, 2008 @10:56AM (#23765121) Homepage Journal

    Like cryptography, authentication must also be a part of the protocols used in future voice communication. Fortunately, the same tech happens to help with both.

    Once you have a solid identity for the caller, they can be looked up somehow, and either be classed as someone you know (i.e. have personally vetted as human) or delegated through a WoT as probably human, or determined to be "nobody."

    The reason this is a problem for current VoIP and POTS is merely that those things happen to suck due to legacy interoperability, CALEA, etc.

    I really do think those concerns will eventually be left behind. Just like PGP over email, though, there will be social resistance (or inertia, at least). But the very problem being discussed here (phone spam being more annoying than email spam) will make securing voice more attractive to the mainstream, than securing email was.

  • inventing cutesy acronyms (like "spit") vastly increases awareness in the media and in funding
  • by tkinnun0 ( 756022 ) on Thursday June 12, 2008 @10:58AM (#23765171)
    They setup a scenario where every call gives the callee a small payment, then find this weakness in it:

    "Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."

    Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?
  • First the obvious: Have a white list tied with caller ID.

    Next: Be able to exclude out of "area" calls (I get to define what the "area" is)

    Next: For non-white listed numbers, have the disconnect signal sent (The there tone noise followed by "The number you have reached..."), followed by a question that requires a human to answer in a timely mannor:

    Examples:
    ...Enter 1234 backwards
    ...Enter the sum of 1000 plus 1
    ...Enter the number one thousand followed by the number you dialed
    ...Enter the area code
  • by mpapet ( 761907 ) on Thursday June 12, 2008 @11:18AM (#23765527) Homepage
    As someone that runs a VOIP server, I can speak from limited experience.

    1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.

    2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.

    3. DB queries on call volume should identify the offender within 30 minutes anyway.

    The article is an advertisement disguised as news.

    • The article is an advertisement disguised as news.
      That describes about 99% of the so called "content" in the trade rags these days. The entire magazines are nothing but open advertisements and "articles" which are really stealth ads written by public relations firms and submitted to publishers as "press hits" masquerading as news.
  • Want to view a web page? Count the super-distorted kitties in this sequence of letters, numbers & symbols on the Stargate chevrons.
    Want to leave a comment? Decrypt this email address that's worse than slashdot's email address obfuscation system, where you spend more time decrypting it than sending in a message.
    Want to create an account? Play this java applet where you have to click on the moving bunny.

    Ah, what a utopia. A whole internet that doesn't know if you are a dog, but will quiz you to make sure you are not a robot construct, or some farmer in India.
  • In some countries, that is: Caller pays.

    If you think that speaking to me is worthwhile, you pay for the air time.

  • by Bookwyrm ( 3535 ) on Thursday June 12, 2008 @03:11PM (#23769559)
    A major issue for end users will be if they use a SIP client/soft phone that actually pays attention to the (rather moronic) Alert-Info (or Call-Info) header. If anyone gets a SIP client out into the wild that actually implements Alert-Info, every hacker and spammer on the planet will be trying to figure out ways to trick the security on the SIP client into paying attention to their Alert-Info.

    From RFC 3261 (Session Initiation Protocol):

    20.4 Alert-Info

          When present in an INVITE request, the Alert-Info header field
          specifies an alternative ring tone to the UAS. When present in a 180
          (Ringing) response, the Alert-Info header field specifies an
          alternative ringback tone to the UAC. A typical usage is for a proxy
          to insert this header field to provide a distinctive ring feature.

          The Alert-Info header field can introduce security risks. These
          risks and the ways to handle them are discussed in Section 20.9,
          which discusses the Call-Info header field since the risks are
          identical.

          In addition, a user SHOULD be able to disable this feature
          selectively.

                This helps prevent disruptions that could result from the use of
                this header field by untrusted elements.

          Example:

                Alert-Info: <http://www.example.com/sounds/moo.wav>
  • by bergeron76 ( 176351 ) on Thursday June 12, 2008 @09:48PM (#23773697) Homepage
    Since this is a real-time negotiation taking place, it will be much easier to include a challenge/response in the "handshake" portion of the connection.

    Unlike, email (which gets queued), voice requires an instant connection between endpoints. If you simply used an audio captcha ("Hi, please say my first name after the beep to be connected..."), you can create a hurdle that has to be overcome immediately. Using VOX/IVR technology would easily create an AI nightmare for potential "SPITers". Add a short timeout (like 10 seconds or [with a few retries]) and then dump the dubious caller.

    Corporations do it to us all the time when we call customer service "I'm sorry, that's not a valid option. Goodbye".

Keep up the good work! But please don't ask me to help.

Working...