[asterisk-biz] Fraud

Andrew A. Boettcher techman at bitrix.net
Tue Jun 6 09:29:09 MST 2006


Great response Matthew.

I 2nd that wholeheartedly.

-----Original Message-----
From: Matthew Rubenstein [mailto:email at mattruby.com] 
Sent: Tuesday, June 06, 2006 11:17 AM
To: Mike Lynchfield
Cc: Asterisk-Biz
Subject: Re: [asterisk-biz] Fraud

	The most important part of a blacklist is its security from
abuse by competitors. Before planning the data structure or field names
of such a list's database, it's essential to include accountability of
the notifiers in the system.

	If I were to report fraud DIDs to the system, just to interfere
with their users (perhaps to sell them new ones, or some other way of
benefiting from the outage, or just vandalism), how would DID users or
other interested parties challenge my report? How can the system track
repeated abusers? Is there some authentication of the reporter? Is there
some way to ensure reporters don't just create new "authentic"
identities from which to report "fraud"? There are lots of ways to abuse
such a system, many yet to be thought up.

	This service you propose can be very powerful. It can interrupt
essential telephony services, possibly without good reason except
competition or vandalism. Its own credibility is essential to its use,
rather than abuse.

	These are the same issues that email blackout lists have grown
through.
They're still not resolved. And email is not as essential as telephony
for most people. If you want to make a service more useful than a threat
in its own right, you'll look at the successful practices of the email
lists, and work with the telephony community (like on these lists) to
resolve important remaining issues before offering your service. Just
because we can make such a database doesn't mean we know how to use it
properly. The business rules have to be settled before the programming
implements them.


On Tue, 2006-06-06 at 12:04 -0400, Mike Lynchfield wrote:
> no sure on the dns thing, but as far as did score , thats just it. a 
> score.
> 
> Example
> ProviderID,DID,score[1 to 10],reason[varchar64],flag[cof,sof,bi,etc]
> 
> 1000, 1231231234, 9,confirmed abuse,sof would be suspicion of fraud 
> 90% sure for did 1231231234
> 
> code : cof = confirmed fraud.
>           bi = billing isues.
>           etc.
> 
> so you could actualy pull results nightly via corn or anythign you 
> like and scpecify filters.
> 
> pull.php?flag=all&minscore=3 etc
> 
> you would then get that list to your pbx box and apply it as you wish.
> 
> as in output:
> 
> providernickname,DID,avgscore,totalcountofcomplaints,etcetc
> 
> 
> 
> 
> 
> 
> 
> On 6/6/06, Tomer Horn <thorn at ivrit.org.il> wrote:
>         I agree with Florian.
>         
>         I would like to add that technically, it should be implemented
>         either in
>         style of RBL using DNS and/or DUNDi - where the DUNDi will be
>         used as a
>         blackhole. Just make sure that by design you'll be able to
>         create 
>         redundancy sites in different locations in case of DDoS or
>         whatever. Be
>         prepared for that.  You should allow, as you suggested, to
>         download the
>         complete list by using the web/dns-axfr.
>         
>         I think with that comes the subject of moral responsibility
>         for the list: 
>         - Under what rules a DID goes into the list? Who is allowed to
>         commit to
>         the list?
>         - What prevents from those who are running the list to list
>         "safe" DIDs
>         and abuse
>         the list for whatever purposes. 
>         - Maybe the entries should have a feature to enter both
>         positive and
>         negative
>         votes/scores/comments for each listed DID?
>         
>         Just my 2 cents.
>         
>         Florian Overkamp wrote:
>         > Hi Mike,
>         >
>         > Mike Lynchfield wrote: 
>         >> We create an API , or Web portal , that would accept input
>         >> (DID,Reason,Flag)
>         >> and serve a list.
>         >>
>         >> This list would be a SOF (Suspicion of fraud) list in
>         either txt,xml 
>         >> or both
>         >> for you to download.
>         >
>         >> How does it sound ? ..
>         >
>         > The basic idea makes a lot of sense, although I think there
>         should
>         > also be some meta-data like:
>         > - what is the nature of the SOF, in text, for customer
>         support purposes 
>         > - when was the number registered as SOF
>         > - optionally, how many complaints were made about the
>         number ?
>         > - if there was an identifiable source, of the complaint or
>         notice, who
>         > was it ?
>         > 
>         > Our national regulator also publishes a list of numbers that
>         have been
>         > seen in auto-diallers. Maybe other countries do the same ?
>         >
>         >
>         
>         _______________________________________________
>         --Bandwidth and Colocation provided by Easynews.com --
>         
>         asterisk-biz mailing list
>         To UNSUBSCRIBE or update options visit:
>            http://lists.digium.com/mailman/listinfo/asterisk-biz
> 
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz
-- 

(C) Matthew Rubenstein

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-biz




More information about the asterisk-biz mailing list