[Asterisk-Users] VOIP Spam

John Todd jtodd at loligo.com
Sun Apr 18 07:35:29 MST 2004


At 8:32 AM -0700 on 4/15/04, Tom Green wrote:
>Hi,
>
>Some people have suggested maintaining black lists and
>white lists to avoid spammers and allow legitimate
>callers into the network. However, the problem with
>this method is that the spammer's IP address might
>change due to DHCP. Today a spammer might get
>aaa.bbb.ccc.ddd and lets say that I put this address
>in my blacklist. To my annoyance, tomorrow a
>legitimate caller might get aaa.bbb.ccc.ddd and the
>spammer might get a different IP address. In the end,
>I end up blocking the legitimate caller also. Any
>ideas or thoughts to on this problem is appreciated.
>
>Thanks,
>Tom

I've read the rest of this thread about PKI, shared certs, etc. but I 
think that an important middle step is being missed by everyone.

I believe strongly in the concept of end-to-end connectivity as the 
"optimal" method to ensure authentication and authorization between 
two user agents (web, voip, email, whatever.)  However, it is often 
difficult to build such mechanisms that are easily used by the "end 
user."  Most end users will happily hand over the responsibility for 
protection against "spam" in any form to a central administrator, and 
I think that as a first step it is appropriate to move the smart 
stuff to a central server instead of to every user's desktop (though 
eventually there should be smart stuff on the desktop.)

To this end: why is it _mandatory_ that all VOIP endpoints accept 
calls from other endpoints?  Of course, you could filter based on 
some type of kludge-y network filters, but that is ugly and does not 
scale.  SIP (and possibly IAX; I haven't looked at it much) have the 
ability to demand credentials from the remote host.  Why don't we use 
these features?

Here is my ideal world: When a SIP INVITE (or NOTIFY, or whatever) 
hits my desk SIP phone, it should refuse the message with a "401 
Unauthorized" message.  Without correct credentials, messages simply 
aren't allowed past the threshhold of the SIP UA.  This should be a 
configurable option on my SIP UA - maybe I have some reasons to allow 
all messages from all hosts at some time.  However, most of the time 
I would want my SIP server (Asterisk, SER, whatever) to be in the 
path, and that "smart" gateway could do my blacklisting, 
authentication (PKI, etc.) and other tasks which would require more 
brains and more central administration.

No SIP device that I've ever seen has the option to deny SIP messages 
from all but authenticated hosts.  Why is that?  Seems pretty 
obvious.  It's always the other way around - SIP proxies allow or 
disallow messages according to authentication credentials (shared 
secret.)  Since I've never seen this in place, perhaps it is the case 
that I am mis-understanding how authentication can possibly work with 
SIP between a UA and a proxy?

JT



More information about the asterisk-users mailing list