[Asterisk-Users] Re: VoIP SPAM, what's next ?

John Todd jtodd at loligo.com
Tue Aug 10 11:13:42 MST 2004 

At 7:14 PM +0200 on 8/10/04, Soren Rathje wrote:
>Gang,
>
>Do anyone have a clue on how they do this ??
>
>"QOVIA FILES PATENTS FOR VOICE SPAM BLOCKING TECHNOLOGY"
>http://www.qovia.com/company/news/06.28.2004_voip_spam_patent_app_final.htm
>
>"Qovia ready to take on VoIP spam"
>http://www.nwfusion.com/news/2004/071204qovia.html
>
>Next thing will probably be a sbl.e164.org service to block spammers 
>like we do with email... :-)
>
>Hmm.. Imagine a built-in reporting tool in Asterisk. Hit **666**# 
>and Asterisk will report the IP address of the caller (and possibly 
>also the CID but it can be forged as we all know) on-line and in 
>real-time to a SBL list for immediate blocking and further 
>processing...
>
>Any takers ??
>
>/Soren
>
>It is the mark of an educated mind to be able to entertain a thought 
>without accepting it.
>- Aristotle


VOIP Spam is actually pretty trivial to take care of, if only the 
manufacturers would wise up.  We're in the same place we were with 
SMTP about twelve years ago.  I'm sure we'll see a slew of patents 
and chest-pounding by people with obvious or trivial solutions - 
welcome to the New WIPO World.

The solution is simple: "End devices should have the option to only 
accept authenticated requests."

That's pretty simple, but that is the key to the whole solution. 
However, most end devices will blindly accept any call that they're 
given, so long as the destination number is correct.  I've seen a few 
phones (Polycom is the only one that comes to mind) which will 
challenge INVITEs.  SIP devices are pretty smart, but I don't think 
they're capable of being "totally" smart.  The proxy in the middle 
will have to retain some intelligence and reference some type of 
permissions model or database to allow calls through or not.  I trust 
that industry (and quasi-industry, like Asterisk) programmers will 
come up with dozens of ways of intercepting and thrashing unsolicited 
phone call, so long as there is no back door that the spammer can 
sleaze through to get right to the desktop.

TLS SIP is also a nice concept, since it would require some sort of 
"root" authentication that could be revoked or at least recognized if 
a spam origin was adequately recognized.  This is all starting to 
sound a lot like an anti-spam thread, so I'll stop here.  Most 
intelligent people on the list should be able to figure out a bunch 
of ways to prevent spam, but the primary one is accountability of 
origin.  Anything that allows that accountability to be compromised 
from the perspective of the destination means that spam will 
inevitably slide in, so it is our job to enforce sane 
authentication/authorization mechanisms NOW on the vendors from whom 
we buy equipment/firmware.

JT

More information about the asterisk-users mailing list