[Asterisk-Users] Preventing abuse of Goiax
Jayson Smith
jaybird at jaybird.no-ip.info
Fri Oct 21 07:34:01 MST 2005
Hi,
Here are a few more thoughts for ways to cut down on abuse. These pretty
much center on making it more difficult for abusers to create accounts.
Everyday users are also subject to these rules, but they shouldn't really
matter if the purpose behind them is to cut down on abuse which could cause
everybody to lose in the long run.
1. Time delay. Ok, you just created your account, but you can't use it for
several hours, maybe 24, 48, 72 or so, or maybe shorter. When the account
is activated, you get an Email telling you, and maybe you have to confirm by
clicking on a link. This also confirms that the Email address you provided
is valid. The advantage here is that, when an abuser gets locked out, he
can't create a new account and immediately have access again.
2. Link accounts. If a guy creates several accounts from the same IP in a
short period of time, link them. If he loses one, he loses them all. This
would keep people from circumventing the time delay proposed above by having
many accounts available in case one gets locked out.
3. This is a test. This is only a test. During the account signup
process, give the applicant a multiple choice quiz. Come up with a question
pool of fifty or a hundred questions. Pull five or ten at random, and in
random order, and ask them. Randomize the order of the choices, and *never*
have the correct choice for any question selected by default. These should
be questions most people should be able to answer, possibly in their sleep.
Maybe related to VOIP telephony, etc. The question pool should remain
unpublished so as not to allow abusers to make bots that can answer the
questions automatically.
Just a few more thoughts.
Jayson.
----- Original Message -----
From: "Bill Gibbs" <bgibbs at edurotech.com>
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<asterisk-users at lists.digium.com>
Sent: Friday, October 21, 2005 9:55 AM
Subject: RE: [Asterisk-Users] Preventing abuse of Goiax
This seems like an over complicated way to solve fraud. I think a small
one time fee (or yearly fee) to sign up will prevent more abuse than
anything.
Anyone who would complain about $10 or $20 to sign up for a lifetime (or
per year or whatever) is a leech if they can't understand WHY there
would be a fraud prevention signup fee. Of course there people who
bitch about $9 domain names. It's $9 people - and it stops morons from
registering hundreds of domains they will never use!
I certainly would pay a yearly fee to be able to dial anywhere in the
US.
If goiax is nice enough to provide this service we need to give HIM
something back, and hard dollars are the easiest way to make sure it
stays around.
Bill
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jayson
Smith
Sent: Friday, October 21, 2005 8:56 AM
To: asterisk-users at lists.digium.com
Subject: [Asterisk-Users] Preventing abuse of Goiax
i Hello,
I know this topic has been discussed a lot, but I just wanted to
add in my $0.02 worth about preventing Goiax from being abused.
First, a few things I did which could have raised red flags were
restrictions in place.
1. When I first heard about Goiax, I immediately signed up and
used IaxComm for Windows. I found that by also using Total
Recorder, I could make great recordings of phone numbers. I
recently wrote a Time of Day program for Windows which simulates
some of the older Time of Day services in the US. There is still
one Audichron machine left, using John Doyle's voice, and I wanted
to get it recorded. So during a period of approx. forty-eight
hours, I dialed 410-844-1212 many, many times to get every possible
phrase the machine could say recorded. The system only let me stay
on for one minute at a time, thus there were lots of short calls to
the same number right in a row, all one right after the other.
2. I also like to record telco recordings. I found out about a
set of numbers which let you hear SBC recordings and dialed them
all and recorded them. This meant I placed calls to similar
numbers, sequentially, very quickly and for short call durations.
Now, here are some thoughts on what can be done to possibly avoid
abuse.
1. The number sent out over Caller ID on Goiax calls needs to be
something different. The current number can't even be dialed,
which leaves no accountability. People can just call anybody and
since the origin number isn't even valid, the receiver of annoying
calls is left in the dark, with nothing they can do.
2. One idea would be to have Caller ID send a telephone number
which, when dialed, connects to an automated system. The receiver
of annoying calls can dial this number and enter the number that
was dialed and specify times and dates, and the system can track
who made the calls by this information. The recipient of these
calls can request that no further calls should be allowed at that
number, either from that particular user or, at the receiver's
option, from any Goiax account. If one particular account gets too
many complaints, the account is locked. Of course this doesn't
keep the abuser from making a new account.
3. Once an account is locked, blacklist that Email address from
ever making another account. Once a certain number of Email
accounts at a particular domain have created accounts which have
been locked, blacklist that entire domain. This will keep a guy
with his own domain from creating hundreds of accounts with
throwaway Email addresses, then creating hundreds more with
different throwaway addresses once his first bunch get locked.
4. Possibly add in some verification to keep bots from making
accounts on behalf of humans. Some sites do this anyway to prevent
spam. Unfortunately, I'm blind and absolutely hate those picture
boxes where you have to type in some text displayed in a picture.
Current screen reader technology can't handle these pictures, so if
such a system is used there needs to be an alternative for visually
impaired users.
5. If suspicious behavior is observed, E.G. lots of short calls,
lots of frequent calls to the same number, etc. the system should
put an alert on that account and mark it for human examination. If
the behavior continues for a certain amount of time, lock the
account or lock the numbers being dialed, or put restrictions on
how often the service may be used, or...
6. Automated callback verification using a subscriber's phone
number is probably not a good idea. For one thing, assuming only
US numbers are allowed, this prevents international people from
using the service. Also, it's easy to get a new phone number. A
user could get a DID from another provider for the sole purpose of
authenticating with Goiax. Then, the DID is either discarded or
never used again. If discarded and somebody else gets that number
and the new Goiax user turns out to be a bad apple, the unlucky
person who wound up with that number gets held responsible for the
abuser's actions.
7. Only allowing people with DIDs to outdial probably wouldn't be
effective. Even if you create some rules like, the DID must have
been called at least X times, etc. the user could just stop using
the DID. If the DID was sent out over Caller ID, the user could
either just not have it active, or set up an Asterisk system or
something which answers calls to the DID by saying "You suck!" then
hanging up. Or, worse, a user could even go through his logs and
post phone numbers of people who call his DID who, presumably, are
complaining about annoying calls from this very person, to a public
mailing list or something.
Well, those were just a few thoughts.
Jayson.
_______________________________________________
--Bandwidth and Colocation sponsored by Easynews.com --
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
--Bandwidth and Colocation sponsored by Easynews.com --
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list