[asterisk-biz] OT Preventing VoipSpam Was RE: [OT] Reporting Spam

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Sun Nov 9 19:45:46 CST 2008


On Sun, 2008-11-09 at 17:12 -0800, John Todd wrote:

> 
> As with most things, if there is an economic incentive, it will get  
> done.  The problem with "VoIP spam" is light, and there seems to be  
> little incentive on even traditional telephony networks to outlay  
> money to solve the problem.  False positives are also a serious  
> problem; no service provider wants to be in the situation of  
> explaining why calls from Aunt Millie are sent to a legal-sounding  
> announcement asking never to call again.  Just like joe-jobbing, voice  
> spammers will quickly figure out that they should send the caller ID  
> of someone trusted, like a bank, or Aunt Millie.
> 
that can be illegal in some places to do, although in the US most of it
is related around fraud where you pretend to be a bank to get account
numbers or whatever.  It is a problem, however ...


> Other issues standing in the way of a centralized blacklist: a trust  
> model for reporters and for clients, a reputable brokerage, a set of  
> rules for addition/subtraction to the list, a lawsuit threat from  
> blacklisted numbers, and the host of other nightmares that has already  
> plagued the email spam methods.  The privacy issue alone is  
> nightmarish - some central system, not under my company's control, is  
> going to see EVERY SINGLE caller ID that comes into my switches?  Holy  
> private information leakage, Batman!
> 
well if you enum lookup every call to see if its blacklisted, then the
DNS servers start to get aggregate information showing that the same
number is calling X people in Y timeframe so put it on some hotlist.
Whocalled.us has a userbase submitting numbers, although its not a
blacklist (it was one of the people I talked to about doing this as a
front end to feed it data), and the blacklist would occur based on
different reports and all that.  At least that was the plan long ago,
there are a few other things to mitigate false positives, as well as
other methods to try to make the system sane.

As for the legal aspect not one lawsuit against email RBLs have stood
up, the reason is that they are not mandating that people subscribe to
them so they arent standing in the way of anything.  Anyone that uses it
is doing so by their choice.  I can understand the provider aspect, and
that is a provider issue, just like emails that get flagged as spam and
either deleted or whatever when they arent is an issue its something
they have to decide on.  The way that one group of RBL people operate is
that there is no information on who actually runs it, this prevents
anyone from being served.  There are volunteers that will offer
suggestions of what may work to get yourself removed, but everyone is
careful to say they dont know who operates it and no one states they
work for any particular organization, just helpful random people.  The
spammers that were blacklisted spent quite a while trying to unravel
that before the other lawsuits got tossed and they gave up.  Its now
somewhat established legal doctrine in the US and afaik no where else
even had a case since it is kinda silly legally speaking to go after the
blacklist people. 

My list would be more than just voip, it would include pstn calls, so it
would have some value to it.  And if people can do it with the larger
volume of emails then I see no reason why volunteers couldnt manage a
DNS system that would do basically the same.  

> one's arms around.  As you say, Asterisk can do all these things  
> easily already in the dialplan - now it's up to someone (you?  
> e164.org? someone else?) to put it all together in a way that people  
> will use (if they want to use it, which remains to be seen.)
> 
That is why I contacted you, whocalled.us and others about 3-4 years ago
and got nothing out of it, some initial discussions then it just went
silent.  I did not want to do this by myself, but no one else wanted to
participate outside of saying that they think it would be good, they
want it, and all that.  


> PS: Somewhat related to this topic - I've never once received a "spam"  
> SIP call, meaning a call from someone who I didn't want to hear from.   

I havent via voip either, it seems more confined to skype, vonage,
yahoo, etc.  where people are targeting the large providers rather than
anything and everything they can *so far*.

But this could go for more, all the telemarketing calls that are sent,
and if providers gave people an opt-in for it, that could be handy too.
Even in the US with the do not call list it does not apply for example
to people outside the US placing a call, so call centers elsewhere are
free to call away.  Given that its getting cheaper to do that, and it
means that call centers do not have to pay for ($15k/year) and keep
track of the DnC it wouldnt suprise me if more and more would be doing
just that.  Nice loophole, force the jobs off shore not just for salary
and "tax" reasons but also for legal compliance reasons.  

> This speaks to how disappointingly rarely SIP URIs are used as inbound  
> calling pointers.  I've often received "broken" calls (people testing  
> their setups) but not "spam" calls.  I'm just not sure the market  
> exists for solutions to a problem that doesn't exist yet.  This is  
> different than using Asterisk to screen traditional PSTN calls for  
> spammish nature, which we talk about above.

I think that is because you are thinking about this only as a voip call
and not all calls.  If its enum it has to be a pstn number that is
looked up per the RFC, specifically it says that nothing should be in
enum that is not a pstn number.  Ok fine some people put other stuff in
too, big deal, but that strongly implies that I was thinking about this
for more than voip based calls, one sure fire way to break this system
with voip calls is send a non e.164 number because that means it wont be
in the RBL.


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast +44 28 9099 6461        US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!




More information about the asterisk-biz mailing list