At 7:14 PM +0200 on 8/10/04, Soren Rathje wrote:>Gang, > >Do anyone have a clue on how they do this ?? > >"QOVIA FILES PATENTS FOR VOICE SPAM BLOCKING TECHNOLOGY" >http://www.qovia.com/company/news/06.28.2004_voip_spam_patent_app_final.htm > >"Qovia ready to take on VoIP spam" >http://www.nwfusion.com/news/2004/071204qovia.html > >Next thing will probably be a sbl.e164.org service to block spammers >like we do with email... :-) > >Hmm.. Imagine a built-in reporting tool in Asterisk. Hit **666**# >and Asterisk will report the IP address of the caller (and possibly >also the CID but it can be forged as we all know) on-line and in >real-time to a SBL list for immediate blocking and further >processing... > >Any takers ?? > >/Soren > >It is the mark of an educated mind to be able to entertain a thought >without accepting it. >- AristotleVOIP Spam is actually pretty trivial to take care of, if only the manufacturers would wise up. We're in the same place we were with SMTP about twelve years ago. I'm sure we'll see a slew of patents and chest-pounding by people with obvious or trivial solutions - welcome to the New WIPO World. The solution is simple: "End devices should have the option to only accept authenticated requests." That's pretty simple, but that is the key to the whole solution. However, most end devices will blindly accept any call that they're given, so long as the destination number is correct. I've seen a few phones (Polycom is the only one that comes to mind) which will challenge INVITEs. SIP devices are pretty smart, but I don't think they're capable of being "totally" smart. The proxy in the middle will have to retain some intelligence and reference some type of permissions model or database to allow calls through or not. I trust that industry (and quasi-industry, like Asterisk) programmers will come up with dozens of ways of intercepting and thrashing unsolicited phone call, so long as there is no back door that the spammer can sleaze through to get right to the desktop. TLS SIP is also a nice concept, since it would require some sort of "root" authentication that could be revoked or at least recognized if a spam origin was adequately recognized. This is all starting to sound a lot like an anti-spam thread, so I'll stop here. Most intelligent people on the list should be able to figure out a bunch of ways to prevent spam, but the primary one is accountability of origin. Anything that allows that accountability to be compromised from the perspective of the destination means that spam will inevitably slide in, so it is our job to enforce sane authentication/authorization mechanisms NOW on the vendors from whom we buy equipment/firmware. JT
voip spam? I have never gotten any yet. ----- Original Message ----- From: "John Todd" <jtodd@loligo.com> To: <asterisk-users@lists.digium.com> Sent: Tuesday, August 10, 2004 11:13 AM Subject: [Asterisk-Users] Re: VoIP SPAM, what's next ?> At 7:14 PM +0200 on 8/10/04, Soren Rathje wrote: >>Gang, >> >>Do anyone have a clue on how they do this ?? >> >>"QOVIA FILES PATENTS FOR VOICE SPAM BLOCKING TECHNOLOGY" >>http://www.qovia.com/company/news/06.28.2004_voip_spam_patent_app_final.htm >> >>"Qovia ready to take on VoIP spam" >>http://www.nwfusion.com/news/2004/071204qovia.html >> >>Next thing will probably be a sbl.e164.org service to block spammers like >>we do with email... :-) >> >>Hmm.. Imagine a built-in reporting tool in Asterisk. Hit **666**# and >>Asterisk will report the IP address of the caller (and possibly also the >>CID but it can be forged as we all know) on-line and in real-time to a SBL >>list for immediate blocking and further processing... >> >>Any takers ?? >> >>/Soren >> >>It is the mark of an educated mind to be able to entertain a thought >>without accepting it. >>- Aristotle > > > VOIP Spam is actually pretty trivial to take care of, if only the > manufacturers would wise up. We're in the same place we were with SMTP > about twelve years ago. I'm sure we'll see a slew of patents and > chest-pounding by people with obvious or trivial solutions - welcome to > the New WIPO World. > > The solution is simple: "End devices should have the option to only accept > authenticated requests." > > That's pretty simple, but that is the key to the whole solution. However, > most end devices will blindly accept any call that they're given, so long > as the destination number is correct. I've seen a few phones (Polycom is > the only one that comes to mind) which will challenge INVITEs. SIP > devices are pretty smart, but I don't think they're capable of being > "totally" smart. The proxy in the middle will have to retain some > intelligence and reference some type of permissions model or database to > allow calls through or not. I trust that industry (and quasi-industry, > like Asterisk) programmers will come up with dozens of ways of > intercepting and thrashing unsolicited phone call, so long as there is no > back door that the spammer can sleaze through to get right to the desktop. > > TLS SIP is also a nice concept, since it would require some sort of "root" > authentication that could be revoked or at least recognized if a spam > origin was adequately recognized. This is all starting to sound a lot > like an anti-spam thread, so I'll stop here. Most intelligent people on > the list should be able to figure out a bunch of ways to prevent spam, but > the primary one is accountability of origin. Anything that allows that > accountability to be compromised from the perspective of the destination > means that spam will inevitably slide in, so it is our job to enforce sane > authentication/authorization mechanisms NOW on the vendors from whom we > buy equipment/firmware. > > JT > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users---------------------------------------- My Inbox is protected by SPAMfighter 321 spam mails have been blocked so far. Download free www.spamfighter.com today!
John Todd wrote:> At 7:14 PM +0200 on 8/10/04, Soren Rathje wrote: >> Gang, >>[snip]>> >> /Soren >> >> It is the mark of an educated mind to be able to entertain a thought >> without accepting it. >> - Aristotle >Ok, so we moved here from *-dev, no problem... ;-)> > VOIP Spam is actually pretty trivial to take care of, if only the > manufacturers would wise up. We're in the same place we were with > SMTP about twelve years ago. I'm sure we'll see a slew of patents > and chest-pounding by people with obvious or trivial solutions - > welcome to the New WIPO World. > > The solution is simple: "End devices should have the option to only > accept authenticated requests."If IP Telephony is supposed to "grow up"/mature into a technology that will replace TDM over time, this is not an option unless you are building whitelists of gigantic proportions...> That's pretty simple, but that is the key to the whole solution. > However, most end devices will blindly accept any call that they're > given, so long as the destination number is correct. I've seen a few > phones (Polycom is the only one that comes to mind) which will > challenge INVITEs. SIP devices are pretty smart, but I don't think > they're capable of being "totally" smart. The proxy in the middle > will have to retain some intelligence and reference some type of > permissions model or database to allow calls through or not. I trust > that industry (and quasi-industry, like Asterisk) programmers will > come up with dozens of ways of intercepting and thrashing unsolicited > phone call, so long as there is no back door that the spammer can > sleaze through to get right to the desktop.It challenges the concept of e164.arpa.> TLS SIP is also a nice concept, since it would require some sort of > "root" authentication that could be revoked or at least recognized if > a spam origin was adequately recognized. This is all starting to > sound a lot like an anti-spam thread, so I'll stop here. Most > intelligent people on the list should be able to figure out a bunch > of ways to prevent spam, but the primary one is accountability of > origin. Anything that allows that accountability to be compromised > from the perspective of the destination means that spam will > inevitably slide in, so it is our job to enforce sane > authentication/authorization mechanisms NOW on the vendors from whom > we buy equipment/firmware.Right, the sole purpose of the original post (in asterisk-dev) was to figure out how aware people are of this potential problem and also if people think of this as a problem. /Soren