Spit Will Be Worse Than Spam 248
KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."
#1 question (Score:5, Interesting)
If yes, then this is a problem.
If no, then this is not that big of a problem.
If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.
Re: (Score:2)
By 'Cell' I mean using Cell for traditional voice, as opposed to using the towers for data.
Data is data. (Score:5, Insightful)
Colour of bits in the packet (Score:5, Insightful)
Re: (Score:3, Interesting)
Re:Colour of bits in the packet (Score:4, Informative)
Some even charge to receive SMS messages.
Re:Colour of bits in the packet (Score:4, Insightful)
Re:#1 question (Score:4, Insightful)
Few people use VOIP as their home phone, and problems like this will keep it that way.
Re:#1 question (Score:5, Insightful)
Re: (Score:2)
Re:#1 question (Score:5, Insightful)
On to the topic at hand however...
VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.
For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.
A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.
White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).
All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...
Re: (Score:3, Insightful)
When it becomes anything like regular spam, you'd be receiving 20 calls per minute continuously from automated processes (e.g. perhaps from other broadband users running Windows, including your family, colleagues, and business contacts) - then it would take a lot more effort to block everything correctly
Re:#1 question (Score:5, Interesting)
Folks on Skype, and other non-centralized VoIP (direct IP to IP calling) may be suceptable to this, but since SSkype can't support e-911, it;s not really an issue... IP to Vonage calls, for example, in part run across telco networks, and those incur charges. The SPITers won;t be able to make good on their investment.
Besides, the Teloc netowkrs and VOIP networks would not be able to handle that volume. e-mail gets bogged down due to Spam, but calls either work or not. If this becomes an issue, the FCC will be on it lightning fast and with great ferocity. Each call is a trunk line, not a few packets...
A PC can't really just CALL a Voip line... The softphone, even for the very small percentage of people who use them as opposed to most people on VOIP havoing a hardware device, is a proprietary program, and on the back end is interfacing with an authentication system. Some random virus is not going to be able to interface with Vonage to make calls that way...
Like I said, Skype might be a hackable system, but business voip is all inter-office (VPN tunnels) not open internet calls. Businesses using VOIP use PRI or BRI trunks and traditionsal call networks to place person to person calls (except intra/inter office over secure systems). SPITing on a business extention means placing a call through a terrestrial phone company. Those can be traced, and blocked, if abused.
If SPITing was potentially that successful, I'd be getting 100 calls a day at my home line already.
Also, a Drone infrected PC that was SPITing, how many calls a day do you think it would be making? and how many calls a day (or at a TIME!) is it reasonable for a human to make? It should be easy for phone companies to identify drone VOIP machines and shut them down... Calling habbits for a household are easy to model, and since even a telemarketer working from home has to have a business class phone license, they'll be easy to identify and eliminate false positive screenings. (most home telemarketers run through VPN to a central switch anyway).
This really isn't a big deal. If they ever figure out HOW to make it a big deal, expect strict and sweeping legislation. Attacks on the US phone system are considdered terrorist activity, unlike spam which is just a civil, not even criminal, in most cases offence. Also, VoIP is easy to trace, since it;s clearly a 2 way communication requirement, unlike spam.
DDoS is a possible abuse, but even that should not effect centralized VoIP providers and their customers (100 calls in 3 minutes? block it. Done.)
Re:#1 question (Score:4, Informative)
No, they don't. You have been sucked into a mindset by those who run the central services. You can phone anyone at my house using a SIP address that looks just like an email address. It's just another protocol on the Internet and you don't need to pay a central service to use it.
A PC can't really just CALL a Voip line
Incorrect again. There doesn't need to be a "VoIP Line", it can be more akin to an open port on your home router. One that your PC can call up and play wav spam into if someone answers.
I subscribe to gateways so that I can connect to the PSTN, but I'm never required to route my calls through any particular one. I have to pay to use those gateways for in/outbound PSTN calls, but I make and receive pure Internet-only VoIP calls all the time for free without the use of a central service. Think of it like I'm serving web pages from my house or receiving SMTP messages. That is the future of Internet-based telephony.
Proprietary services like Skype and Vonage are not yet swimming in the bigger waters, despite the fact that they let you connect to the PSTN. Their kind of VoIP is still in the same mode as email was when CompuServe couldn't peer with FidoNet, which couldn't peer with GEnie, etc.
If I ever pay a central service for VoIP, it will likely be just to filter the coming SPIT.
Known unknowns (Score:3, Insightful)
I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it's from a whitelist caller, my computer wakes me, as it's likely a family medical issue.
That sounds great as long as the VoIP box is being used by a tech savvy person like you. And as long as the emergency call originates from your family member's home and not an unfamiliar cell phone, pay phone, hospital phone, jail phone, friend's phone....
Re:#1 question (Score:5, Insightful)
Re: (Score:2, Interesting)
The problem with Vonage is that I've also seen their 1/2 infomercial. Trying to sell your product using infomercials completely destroys your credibility in my eyes. I will never trust a product I've seen in an infomercial**. I am sure I am not alone.
And, no, thankfully I was smart enough that I did not have to learn that the hard way.
**Except for
Re: (Score:2)
Just making sure I understand you, the only thing you have ever bought that had an infomercial you like, but you don't believe that anything else you have ever seen on an infomercial would be acceptable.
Now, I'm not saying that most of the stuff on infomercials isn't crap, but if you know of one exception, what makes you think that there aren't any more?
Re:#1 question (Score:5, Insightful)
That's called telemarketing. This isn't.
This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).
It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.
About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).
Re:#1 question (Score:5, Interesting)
What's the difference?
This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).
So the difference is how many people you need to do it? Then it's just a matter of degree, and not a fundamental difference. VOIP spam is only worse than telemarketing because there's more of it.
It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.
Funny thing is, I get a lot more paper spam than email spam. From where I stand, paper spam is a worse problem. It certainly kills a lot more trees. And I can't set up a filter for my paper spam.
Re: (Score:3)
VOIP spam is only worse than telemarketing because there's more of it.
That, and because legislation wouldn't do shit to stop it.
With telemarketing, I can put my self on the national do-not-call registry, and I can tell individual telemarketers to take me off their list. And because there's a real call center, there's almost certainly an actual corporation that I can track down.
With VOIP spam, all the same rules that make normal spam unaffected by legislation still apply. There's enough more of it that I can't just hang up. So there would likely be just as much VOIP spam as e
No, that's not it (Score:2)
It's already illegal in most jurisdictions (in the US) to telemarket with pre-recorded messages. This has teeth with a regular phone call because the phone company is pretty careful about being able to bill people that use its network, and if you can bill them, you can track them down.
And... regular (illegal) pre-recorded telephone spam still cos
Re:#1 question (Score:5, Funny)
(Disclaimer: That was not a jibe at Hillary. I actually got a call from a real live person working for the Hillary campaign when my state's primaries were looming. She just started talking, so I actually thought she was a recording. I was joking with my wife about "Hillary Clinton" showing up on the caller ID and said, "I told Hill not to call me at home! I wonder if Bill knows how much she calls me? I guess what's good for the goose..." That's when the lady said, "excuse me?" I then realized she was a real person.)
Re: (Score:2)
Re: (Score:2)
On the flip side, I've looked in my junkmail box a few times, usually when I add some new anti-spam rule and want to make sure its not overreaching, or when my mom says my aunt emailed me and I never replied. Turns out her message was a false positive, got filed in
Re: (Score:3, Interesting)
My email still gets spam, but spamassassin and Apple's junkmail filter do a pretty good job of hiding most of it. Hitting "delete" a few times a day is annoying, but tolerable, especially since I don't constantly check email, so
Re: (Score:2)
If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night - about one every 45 seconds (math in head not exact). Do you think you would use a cell phone if it got telemarketed to once every 45 seconds, or just turn it off? And if you just turn it off, how does your family/friend/etc get ahold of you?
Re:#1 question (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
To make ends meet, the spammer would have to make one sale for every batch of 50,000 messages.
Now using up his airtime/minutes, OTOH, a call may very well cost him $.02, (contrary to what Verizon [verizonmath.com] thinks) a hu
Re: (Score:2)
Unlike the local short-distance POTS (on which you tend to get harassed by robodialers as well as Hillary C.), your cell operator charges the operator of whomever's calling you a few (fractions of) cents per minute, so cells are very likely to be spared.
Re: (Score:2)
Call Screening (Score:5, Informative)
Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.
Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.
Re: (Score:3, Informative)
You know that's going to happen.
Re: (Score:2)
Groupsourcing the identification of spitters would be easy enough, or so it would seem.
Ideas anyone?
Re: (Score:2)
I realize I have to find a way to "skip" messages in my voice inbox, right now my service only lets me delete stuff AFTER I fully listened to it. Highly annoying.
Re: (Score:2)
Well, my POTS Caller ID often times either comes up as Blocked Call or something weird, and I simply don't answer those calls. While it may be trivial for them to spoof a phone number, it is not trivial to find a number that I will trust (say, a friend or relative). That does somewhat limit the threat.
Still, it doesn't m
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My stupid bank called my cell to off me some identity theft protection. I hung up on them. Then they called back the next day and had the nerve to say I'd asked them to.
Telemarketers aren't a VOIP problem, they're a problem, period.
Having said that, I'm going to write a VOIP application that only allows you to complete a call if you transfer five cents to the receiver.
Re: (Score:2)
Re:Call Screening (Score:5, Funny)
Your son at college asking for money is not a "spam bot."
-Jim
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Taking names and complaining about this Spit will work just as well as it does for spam. Not. Remember, it's happening on the internet, not POTS.
Collaborative blacklisting will be as difficult as it is for email since most Spitters will be zombies in large botnets.
Re: (Score:2)
Re: (Score:2)
You mean like Justice A Clothing Store for Girls [lazylightning.org] already does? They aren't alone however, most of the time I have a message from some carpet cleaner or other douchebag company that leaves no contact information except a reminder to get my fucking carpets cleaned.
I am seriously considering unplugging the fucking answering machine now too.
voice message spam (Score:2)
You're lucky that you've never encountered a voice spam that waits for the initial greeting, and then plays back a pre-recorded message. Sometimes if you answer the phone without saying anything, it will just be silent, but most people answer the phone with "hello."
Re: (Score:2)
I stopped using voicemail long time ago, simply because people are too stupid to use it effectively.
Re: (Score:2)
Re:Call Screening (Score:4, Interesting)
"Hello, thank you for calling Blah & Bo. If you want Blah, press 1. If you want Bo, press 2"
I get about 10-15 calls a day that hang up before even 2 seconds of the automated prompt. And these tend to call the same time each and everyday, until they give up a week or two later.
I get NO telemarketers, EVER, as they don't really have keypads AFAIK. When once was upgrading the Asterisk machine, it was down for 2 hours. I managed to get 2 telemarketers. I just told them to call back in the evening as I had no time. Guess what? Asterisk was up by then and they never got through!
Re: (Score:3, Informative)
The capability was actually built-in to the specific Motorola mobile handset that I was using. The phone had an option to send callers directly to voice mail if they were not in my address book. It would also capture the incoming phone number in my call list. Friends and family got right through. Those whose numbers I did not have left a message...which I then added
Re: (Score:2)
I perfer the term (Score:2)
Re: (Score:2)
Spit? (Score:5, Funny)
(Sorry.)
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Spam? Spit? What's next? (Score:5, Funny)
"I'm getting sick of the SPERM in the morning paper."
Re:Spam? Spit? What's next? (Score:4, Funny)
"Parents! Don't let your kids buy GTA V, its graphics include SPOOGE!"
"Okay Mr. Thompson, it's time for your meds."
(Alright, alright, kind of strained)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
By the way, I understand that the term spam is agreed to have come from the Monty Python skit, but have you stopped to think about why they thought it was so funny - wartime rationing aside?
Re: (Score:2)
Re: (Score:2)
"I'm getting sick of the SPERM in the morning paper."
Obvious, simple, solution. (Quick! Patent it!) (Score:3, Interesting)
The intrusive nature of the required synchronicity of telephony is unacceptable anyway. It always has been. Hence the invention of call-screening devices, caller-ID, answering machines/voice mail, etc...
If you weren't expecting the call, don't answer it. Then you won't have to give anybody money for yet another "security" product.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Arrange the usage of internet telephony over e-mail, SMS, or IM before initiating or accepting a call. ... If you weren't expecting the call, don't answer it.
That's not so good when an old friend I'd lost contact with passes through town and decides to look me up in the phone book. Or when my girlfriend is traveling through Europe and calls from assorted hostels whenever she gets the opportunity. Or when a relative calls from the hospital pay phone to tell me to get down there right away to say goodbye to Grandma, who probably won't live through the night.
I don't want unexpected calls from spammers/spitters/telemarketers/whatever, but I absolutely want unexpe
Old Turing Test (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Funny)
How is this different than now? (Score:5, Informative)
Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.
Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.
Re: (Score:2)
Contrast this with SPIT, where
Get it already... (Score:2)
Will deal with it in much the same way; known bad callers go directly to the honeypot, known good callers go through. Unknown callers will need some kind of probabilistic assessment as to how much IVR and call screening you put them through.
Anecdote (Score:5, Interesting)
Re: (Score:3, Interesting)
What about the do not call list? (Score:2)
Re: (Score:2)
With VOIP, the network is open. For the most part, this is good - we have the potential to completely do away with phone charges - but, like email, there's no way to identify the source of a cal
Re: (Score:2)
Easier solution (and the one I used before DNC) (Score:2)
Or, you can just treat your phone as a verbal "inbox", and never actually answer it in person. Back before the Do Not Call registry, I know quite a few people who took that approach (myself included, to some degree).
Telemarketers will almost never actually leave a message, and the few who do, you can instantly detect and d
So easy to fix (Score:3, Interesting)
Like cryptography, authentication must also be a part of the protocols used in future voice communication. Fortunately, the same tech happens to help with both.
Once you have a solid identity for the caller, they can be looked up somehow, and either be classed as someone you know (i.e. have personally vetted as human) or delegated through a WoT as probably human, or determined to be "nobody."
The reason this is a problem for current VoIP and POTS is merely that those things happen to suck due to legacy interoperability, CALEA, etc.
I really do think those concerns will eventually be left behind. Just like PGP over email, though, there will be social resistance (or inertia, at least). But the very problem being discussed here (phone spam being more annoying than email spam) will make securing voice more attractive to the mainstream, than securing email was.
among their findings: (Score:3, Insightful)
The paper is stupid (Score:5, Insightful)
"Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."
Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?
Solution options might be (Score:2)
Next: Be able to exclude out of "area" calls (I get to define what the "area" is)
Next: For non-white listed numbers, have the disconnect signal sent (The there tone noise followed by "The number you have reached..."), followed by a question that requires a human to answer in a timely mannor:
Examples:
It's a Scheme to Sell Spitware to End Users (Score:5, Interesting)
1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.
2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.
3. DB queries on call volume should identify the offender within 30 minutes anyway.
The article is an advertisement disguised as news.
Re: (Score:2)
Yeah, let's captcha the entire Internet (Score:4, Funny)
Want to leave a comment? Decrypt this email address that's worse than slashdot's email address obfuscation system, where you spend more time decrypting it than sending in a message.
Want to create an account? Play this java applet where you have to click on the moving bunny.
Ah, what a utopia. A whole internet that doesn't know if you are a dog, but will quiz you to make sure you are not a robot construct, or some farmer in India.
The Fix Already Exists (Score:2)
In some countries, that is: Caller pays.
If you think that speaking to me is worthwhile, you pay for the air time.
Just, please, no SIP Alert-Info header! (Score:3, Informative)
From RFC 3261 (Session Initiation Protocol):
When present in an INVITE request, the Alert-Info header field
specifies an alternative ring tone to the UAS. When present in a 180
(Ringing) response, the Alert-Info header field specifies an
alternative ringback tone to the UAC. A typical usage is for a proxy
to insert this header field to provide a distinctive ring feature.
The Alert-Info header field can introduce security risks. These
risks and the ways to handle them are discussed in Section 20.9,
which discusses the Call-Info header field since the risks are
identical.
In addition, a user SHOULD be able to disable this feature
selectively.
This helps prevent disruptions that could result from the use of
this header field by untrusted elements.
Example:
Alert-Info: <http://www.example.com/sounds/moo.wav>
Solution: Use audio captcha at the handshake level (Score:3, Interesting)
Unlike, email (which gets queued), voice requires an instant connection between endpoints. If you simply used an audio captcha ("Hi, please say my first name after the beep to be connected..."), you can create a hurdle that has to be overcome immediately. Using VOX/IVR technology would easily create an AI nightmare for potential "SPITers". Add a short timeout (like 10 seconds or [with a few retries]) and then dump the dubious caller.
Corporations do it to us all the time when we call customer service "I'm sorry, that's not a valid option. Goodbye".
Re: (Score:3, Funny)
Soylent green: Tastes different from person to person.
Re:Server first (Score:5, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
Re: (Score:2)
Says the guy not publishing his email address on slashdot.
Re: (Score:2)
Re: (Score:2)