[Asterisk-Users] Preventing abuse of Goiax
Jayson Smith
jaybird at jaybird.no-ip.info
Fri Oct 21 05:56:28 MST 2005
i Hello,
I know this topic has been discussed a lot, but I just wanted to
add in my $0.02 worth about preventing Goiax from being abused.
First, a few things I did which could have raised red flags were
restrictions in place.
1. When I first heard about Goiax, I immediately signed up and
used IaxComm for Windows. I found that by also using Total
Recorder, I could make great recordings of phone numbers. I
recently wrote a Time of Day program for Windows which simulates
some of the older Time of Day services in the US. There is still
one Audichron machine left, using John Doyle's voice, and I wanted
to get it recorded. So during a period of approx. forty-eight
hours, I dialed 410-844-1212 many, many times to get every possible
phrase the machine could say recorded. The system only let me stay
on for one minute at a time, thus there were lots of short calls to
the same number right in a row, all one right after the other.
2. I also like to record telco recordings. I found out about a
set of numbers which let you hear SBC recordings and dialed them
all and recorded them. This meant I placed calls to similar
numbers, sequentially, very quickly and for short call durations.
Now, here are some thoughts on what can be done to possibly avoid
abuse.
1. The number sent out over Caller ID on Goiax calls needs to be
something different. The current number can't even be dialed,
which leaves no accountability. People can just call anybody and
since the origin number isn't even valid, the receiver of annoying
calls is left in the dark, with nothing they can do.
2. One idea would be to have Caller ID send a telephone number
which, when dialed, connects to an automated system. The receiver
of annoying calls can dial this number and enter the number that
was dialed and specify times and dates, and the system can track
who made the calls by this information. The recipient of these
calls can request that no further calls should be allowed at that
number, either from that particular user or, at the receiver's
option, from any Goiax account. If one particular account gets too
many complaints, the account is locked. Of course this doesn't
keep the abuser from making a new account.
3. Once an account is locked, blacklist that Email address from
ever making another account. Once a certain number of Email
accounts at a particular domain have created accounts which have
been locked, blacklist that entire domain. This will keep a guy
with his own domain from creating hundreds of accounts with
throwaway Email addresses, then creating hundreds more with
different throwaway addresses once his first bunch get locked.
4. Possibly add in some verification to keep bots from making
accounts on behalf of humans. Some sites do this anyway to prevent
spam. Unfortunately, I'm blind and absolutely hate those picture
boxes where you have to type in some text displayed in a picture.
Current screen reader technology can't handle these pictures, so if
such a system is used there needs to be an alternative for visually
impaired users.
5. If suspicious behavior is observed, E.G. lots of short calls,
lots of frequent calls to the same number, etc. the system should
put an alert on that account and mark it for human examination. If
the behavior continues for a certain amount of time, lock the
account or lock the numbers being dialed, or put restrictions on
how often the service may be used, or...
6. Automated callback verification using a subscriber's phone
number is probably not a good idea. For one thing, assuming only
US numbers are allowed, this prevents international people from
using the service. Also, it's easy to get a new phone number. A
user could get a DID from another provider for the sole purpose of
authenticating with Goiax. Then, the DID is either discarded or
never used again. If discarded and somebody else gets that number
and the new Goiax user turns out to be a bad apple, the unlucky
person who wound up with that number gets held responsible for the
abuser's actions.
7. Only allowing people with DIDs to outdial probably wouldn't be
effective. Even if you create some rules like, the DID must have
been called at least X times, etc. the user could just stop using
the DID. If the DID was sent out over Caller ID, the user could
either just not have it active, or set up an Asterisk system or
something which answers calls to the DID by saying "You suck!" then
hanging up. Or, worse, a user could even go through his logs and
post phone numbers of people who call his DID who, presumably, are
complaining about annoying calls from this very person, to a public
mailing list or something.
Well, those were just a few thoughts.
Jayson.
More information about the asterisk-users
mailing list