The SPITstorm is upon us already

Ideally, every VoIP provider should allow open access to incoming calls over the Internet. Yet, few of them do. They know that as soon as they open it up, their subscribers will be inundated with SPIT (SPam over Internet Telephony). SPIT is worse than traditional telemarketing because all calls are automated, they come at all hours of the night and 100% of them are scams. This causes the next generation phone networks to be closed and is actually stalling true VoIP acceptance.

Today, the problem is no longer exclusive to VoIP subscribers. We are already seeing SPIT being received on traditional phone lines. Instead of going to open SIP ports, they are going to VoIP gateway providers sending calls to regular telephones. Have you ever received a call telling you to press 1 to lower your credit card bills? That’s SPIT. They use low cost VoIP providers with stolen credit cards and BotNets to initiate the calls. Many of them are completely automated and collect the credit card numbers without having to talk to an agent.

This is only going to get worse in the near future. Unfortunately, there isn’t much that traditional telcos can do to deal with it. They don’t have the luxury of knowing the originating IP. They may be able to strong-arm the VoIP provider into cutting off customers that are sending SPIT, but that can be tricky and there will need to be some major changes to how telcos work and communicate with each other for this to actually happen.

If you have a true VoIP service which includes an open SIP port, the solution to this is fairly simple. Create a method to distinguish legitimate callers from SPIT. This can be a combination of several things including vocal captchas, a database of IP addresses (known good or known bad), access codes, and a method for users to report SPIT.

  • A “vocal captcha” would be a string of numbers that the caller will have to enter. It can even include some basic math: “Johnny has 3 apples and 5 oranges, take away 2 apples and 3 oranges, how many apples does he have left?”
  • Once a caller has passed the captcha, their IP will be entered into the IP address whitelist. The next time they call, they won’t be presented with a captcha. If they fail the captcha repeadedly, they would go into a blacklist. These can be shared in a similar manner to how spam blacklists are maintained today.
  • Access codes can be given to individual callers so they can bypass the captcha. These would be unique and revocable.
  • If all of the above fails and a user still gets a SPIT call, they will enter a star code to report it. They will also have an option in their voicemail prompts to report SPIT.

The sooner we get this done, the sooner we’ll be able to use VoIP properly, without having to rely on traditional phone companies. At Indosoft, we’re working on implementing some of these features into our products. Many of them (like the captchas) may be difficult for users to accept, but it won’t be long before they’re easier to accept than the SPITstorm. We’re spending a fair amount of time for R&D on this and we suspect many other VoIP product companies are as well. We expect there will be a competitive advantage to providers (business and residential) who offer this service as it is unlikely that tradtional telcos will be able or willing to offer this level of SPIT protection.

One thought on “The SPITstorm is upon us already”

Comments are closed.