[Asterisk-Users] Re: VoIP SPAM, what's next ?

Soren Rathje asterisk at lolle.org
Tue Aug 10 13:09:03 MST 2004 

John Todd wrote:
> At 7:14 PM +0200 on 8/10/04, Soren Rathje wrote:
>> Gang,
>> 
[snip]
>> 
>> /Soren
>> 
>> It is the mark of an educated mind to be able to entertain a thought
>> without accepting it.
>> - Aristotle
> 

Ok, so we moved here from *-dev, no problem... ;-)

> 
> VOIP Spam is actually pretty trivial to take care of, if only the
> manufacturers would wise up.  We're in the same place we were with
> SMTP about twelve years ago.  I'm sure we'll see a slew of patents
> and chest-pounding by people with obvious or trivial solutions -
> welcome to the New WIPO World.
> 
> The solution is simple: "End devices should have the option to only
> accept authenticated requests."

If IP Telephony is supposed to "grow up"/mature into a technology that will replace TDM over time, this is not an option unless you are building whitelists of gigantic proportions... 
 
> That's pretty simple, but that is the key to the whole solution.
> However, most end devices will blindly accept any call that they're
> given, so long as the destination number is correct.  I've seen a few
> phones (Polycom is the only one that comes to mind) which will
> challenge INVITEs.  SIP devices are pretty smart, but I don't think
> they're capable of being "totally" smart.  The proxy in the middle
> will have to retain some intelligence and reference some type of
> permissions model or database to allow calls through or not.  I trust
> that industry (and quasi-industry, like Asterisk) programmers will
> come up with dozens of ways of intercepting and thrashing unsolicited
> phone call, so long as there is no back door that the spammer can
> sleaze through to get right to the desktop.

It challenges the concept of e164.arpa.

> TLS SIP is also a nice concept, since it would require some sort of
> "root" authentication that could be revoked or at least recognized if
> a spam origin was adequately recognized.  This is all starting to
> sound a lot like an anti-spam thread, so I'll stop here.  Most
> intelligent people on the list should be able to figure out a bunch
> of ways to prevent spam, but the primary one is accountability of
> origin.  Anything that allows that accountability to be compromised
> from the perspective of the destination means that spam will
> inevitably slide in, so it is our job to enforce sane
> authentication/authorization mechanisms NOW on the vendors from whom
> we buy equipment/firmware.

Right, the sole purpose of the original post (in asterisk-dev) was to figure out how aware people are of this potential problem and also if people think of this as a problem.

/Soren

More information about the asterisk-users mailing list