Hi, Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated. Thanks, Tom __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html
Tom Green wrote:>Hi, > >Some people have suggested maintaining black lists and >white lists to avoid spammers and allow legitimate >callers into the network. However, the problem with >this method is that the spammer's IP address might >change due to DHCP. Today a spammer might get >aaa.bbb.ccc.ddd and lets say that I put this address >in my blacklist. To my annoyance, tomorrow a >legitimate caller might get aaa.bbb.ccc.ddd and the >spammer might get a different IP address. In the end, >I end up blocking the legitimate caller also. Any >ideas or thoughts to on this problem is appreciated. > >Thanks, >Tom > > > > >__________________________________ >Do you Yahoo!? >Yahoo! Tax Center - File online by April 15th >http://taxes.yahoo.com/filing.html >_______________________________________________ >Asterisk-Users mailing list >Asterisk-Users@lists.digium.com >http://lists.digium.com/mailman/listinfo/asterisk-users >To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >Yeah, for a relatively modern protocol SIP has some surprisingly glaring omissions, such as: - certificate based authentication - encryption - NAT-awareness -brian
Tom Green wrote:> Some people have suggested maintaining black lists and > white lists to avoid spammers and allow legitimate > callers into the network. However, the problem with > this method is that the spammer's IP address might > change due to DHCP. Today a spammer might get > aaa.bbb.ccc.ddd and lets say that I put this address > in my blacklist. To my annoyance, tomorrow a > legitimate caller might get aaa.bbb.ccc.ddd and the > spammer might get a different IP address. In the end, > I end up blocking the legitimate caller also. Any > ideas or thoughts to on this problem is appreciated.A couple of discussion about this have come up, and something occurred to me about the FCC decision about free world dialup not being classified as a phone service. This opens the flood gates to telemarketers to FWD users as they don't have to honour any form of do not call list the FCC issues, which then of course leads on to other systems like IAXTEL with all voice data over the internet rather then pstn network... Also a possibly solution may have come out of the same discussions, technically if everyone enforces some kind of enum lookup before accepting calls, and the same enum lookup will return NAPTR records, so a slight modification to loop through all DNS records could then be checked against the current hostname/IP in a similar fashion to SPF records and mail servers... End result is a nice neat little database of blacklisted phone numbers rather then IPs, you'd need some resolution service/time-out period to remove the black listing, but mmmm lot harder to get new phone numbers then new IPs... PS We've come up with a patch to the enum lookup to return a Caller Name from a TXT record, appreciate any feedback, our c skills are a little rusty so it's possibly not the most elegant solution... http://bugs.digium.com/bug_view_page.php?bug_id=0001442 -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
At 8:32 AM -0700 on 4/15/04, Tom Green wrote:>Hi, > >Some people have suggested maintaining black lists and >white lists to avoid spammers and allow legitimate >callers into the network. However, the problem with >this method is that the spammer's IP address might >change due to DHCP. Today a spammer might get >aaa.bbb.ccc.ddd and lets say that I put this address >in my blacklist. To my annoyance, tomorrow a >legitimate caller might get aaa.bbb.ccc.ddd and the >spammer might get a different IP address. In the end, >I end up blocking the legitimate caller also. Any >ideas or thoughts to on this problem is appreciated. > >Thanks, >TomI've read the rest of this thread about PKI, shared certs, etc. but I think that an important middle step is being missed by everyone. I believe strongly in the concept of end-to-end connectivity as the "optimal" method to ensure authentication and authorization between two user agents (web, voip, email, whatever.) However, it is often difficult to build such mechanisms that are easily used by the "end user." Most end users will happily hand over the responsibility for protection against "spam" in any form to a central administrator, and I think that as a first step it is appropriate to move the smart stuff to a central server instead of to every user's desktop (though eventually there should be smart stuff on the desktop.) To this end: why is it _mandatory_ that all VOIP endpoints accept calls from other endpoints? Of course, you could filter based on some type of kludge-y network filters, but that is ugly and does not scale. SIP (and possibly IAX; I haven't looked at it much) have the ability to demand credentials from the remote host. Why don't we use these features? Here is my ideal world: When a SIP INVITE (or NOTIFY, or whatever) hits my desk SIP phone, it should refuse the message with a "401 Unauthorized" message. Without correct credentials, messages simply aren't allowed past the threshhold of the SIP UA. This should be a configurable option on my SIP UA - maybe I have some reasons to allow all messages from all hosts at some time. However, most of the time I would want my SIP server (Asterisk, SER, whatever) to be in the path, and that "smart" gateway could do my blacklisting, authentication (PKI, etc.) and other tasks which would require more brains and more central administration. No SIP device that I've ever seen has the option to deny SIP messages from all but authenticated hosts. Why is that? Seems pretty obvious. It's always the other way around - SIP proxies allow or disallow messages according to authentication credentials (shared secret.) Since I've never seen this in place, perhaps it is the case that I am mis-understanding how authentication can possibly work with SIP between a UA and a proxy? JT