Measures sought against VoIP spam
Over the next six to twelve months the Internet Engineering Task Force (IETF) is to assess possible measures against "spit" (spam attacks against internet telephony connections). At the 71st meeting of the IETF in Philadelphia the proponents of a first draft architecture had a tough time with their proposal because reliable figures are not yet available for the current threat to internet telephony. However in the end, a majority of the developers did approve the setting up of a "reconnaissance group", tasked with documenting potential threat scenarios and possible countermeasures. A previous proposal for a regular IETF working group on countermeasures to VoIP spam had failed.
Jon Peterson, one of the leaders in the domain of real-time applications and infrastructure (RAI), said there was no evidence at the present time that a "spit" problem existed. In his opinion it was still, at best, theoretical. A representative of the NEC Lab in Heidelberg, on the other hand, said that work on possible solutions to "spit" had already been going on there for three years. At present, he said, the "spit" figures were still small, but "spit" was expected to become a serious problem as internet telephony became more widespread.
"The costs incurred if we do nothing are very high," warns SIP developer Henning Schulzrinne of Columbia University (note: this link is to a PowerPoint presentation). It had taken a long time before anyone reacted to the now-familiar email spam, he pointed out, and now the implementation of countermeasures was struggling along behind the problem. Schulzrinne is one of the authors of an internet draft that contains preliminary recommendations. "Do we really want to wait until we have a VoIP botnet problem?", Schulzrinne asked.
As with email spam, the developers who are already working on possible defences have no magic recipe against "Spit". Among the possible options mooted are solutions involving the identification and authentication of callers, statistical solutions - meaning the blocking of mass calls emanating from one account - or defence through the cost of making a contact (something that was considered for email, but was swiftly rejected).
The experts say that many countermeasures against spam are not very promising for preventing "spit". Filtering by content, the use of complicated addresses not open to automated attack, or the employment of CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), for example, would make little sense. Even blacklists or hopes of legislation are meeting with reservations. Developers are pinning more hopes on white lists and approval procedures, which however would increase the necessary expense to users. (Monika Ermert) /