Most e-mail users are familiar with receiving spam on a daily basis, or use filtering software to block the messages. But imagine picking up your voicemail at the end of the day, only to have dozens of recorded messages offering you discounted prescription drugs or an opportunity to start a home-based business? Unfortunately, it’s now possible, with sophisticated spammers looking toward VoIP voicemail boxes as their latest targets.

 

Spam over Internet Telephony (SPIT) incidents is already being reported in Japan, where the VoIP market is more mature than North America. A major VoIP provider, SoftbankBB found three incidents of SPIT within its network, which included unsolicited commercial messages for an adult Web site and illegitimate requests for personal information.

 

As VoIP adoption continues to accelerate and technology is now available to block unwanted e-mails, it is reasonable to expect that SPIT attacks will quickly follow. As organizations plan and deploy VoIP networks, SPIT should be considered a very real threat and proactively addressed as part of an overall security strategy.

 

Within the VoIP network, voice spammers will execute attacks in a manner similar to how they now do so using e-mail, by harvesting user information, creating a script and sending messages. Clearly, there will be a high level of inconvenience to both business and personal users as they are forced to deal with unwanted messages.

 

An influx of hundreds or thousands of voicemails each day, or even each hour, could quickly overload the system resulting in a Denial of Service (DoS) attack, which would impact the overall reliability and availability of the VoIP network. For both public and private sector organizations, DoS-type attacks would clearly have significant consequences.

 

SPIT attacks could also take the form of automated mass calling and/or telemarketing type scams. In this scenario, using the IP network, spammers could falsify the caller ID to reach users. With the traditional telephone network, users generally trust the system. These types of attacks would not only erode trust in the IP-based phone system but open up a whole new host of victims for spammers and scammers that they couldn’t reach on e-mail. This opportunistic practice could result in a major resistance to VoIP entering the mainstream.

 

And this could seriously impact service providers and enterprises. For service providers, who have built their brands on trust, they can not afford to have confidence in the security and integrity of their services called into question. VoIP is marketed on ease of use, low, controlled cost and convenience. SPIT eliminates these benefits.

 

Enterprises rely heavily on the phone to conduct business, and they need to ensure that their customers know that it is actually them on the other end of the line, and not someone misrepresenting their organization.  

 

In recent years, numerous techniques and technologies have been developed to fight e-mail-based spam including antispam appliances, client based filters, whitelist/blacklist technologies, and social networks, all of which provide a strong starting point for combating SPIT. However, several significant differences between data and voice networks mean that combating SPIT requires a unique approach.

 

For example, voice call consists of two phases: in signalling phase information is exchanged between the VoIP network and end-points that establish the call and in the second phase voice conversation is carried over media stream, in most cases, directly between the end-points. In the signalling phase basic information about the identity of the end-points could be relatively easily obtained by analyzing the content of the signalling protocols including source addresses, country of origin and call patterns. However, this information alone is not sufficient to combat more sophisticated “spitters” that could easily spoof source addresses. While in the case of e-mail spam additional information such as subject and content of the e-mail are available for analysis in the world of VoIP spam that information is not easily available. Theoretically, it may be possible to collect all the VoIP packets carrying the conversation, reassemble them into speech and then analyze the content. However, this is a very difficult technical problem that cannot be addressed by the existing technology.

 

To cope with this issue some help from the end-user will be required in the form of user feedback that could provide additional information to classify a specific call/voice mail as a spam or a valid message.

 

An effective approach to combating SPIT will likely build on existing data-centric anti-spam technologies and focus on adapting them for the VoIP market. Solutions will need to be designed that address key VoIP issues including the need for real-time analysis of incoming traffic as very little delay can be introduced for users to be able to carry out a phone conversation. Furthermore, like existing PSTN services, VoIP services are held to extremely high availability standards, which are based on the principle of availability 99.999 per cent of the time, which equates to less than five minutes of downtime per year. The result is that any SPIT or security solution that introduces delay will not meet these requirements.

 

Another key issue is that the current focus is on addressing standard Internet protocol-specific traffic, which fails to address the majority of organizations that are running VoIP on equipment from Cisco, Nortel, or Avaya (News - Alert) supporting non-standard signalling protocols.  Any anti-SPIT solutions will need to cut across vendors and systems to ensure the SPIT is not able to penetrate any vendor’s network.

 

While SPIT has not yet wreaked any damage in North America, it is one that clearly needs to be addressed when planning for VoIP. The lessons learned from e-mail spam provide only a taste of the consequences of leaving systems open to spammers, and organizations must plan ahead so they are ready for when SPIT becomes a reality. A proactive VoIP security plan should include SPIT as an emerging area of vulnerability and take steps to monitor the industry for new developments in the coming months.