Internet Telephony Spam

By

This article was published by ComputorEdge, issue #2408, 2006-02-24, as a feature article, in both their print edition (on pages 22 and 24) and their website.

Some computer industry analysts contend that e-mail has proven to be the "killer app" of the Internet, i.e., the #1 technology that has convinced people to make the Internet an indispensable part of their lives. The statistics certainly bear that out, regardless of how difficult the numbers can be to accurately calculate. In 2003, an estimated 452 trillion e-mail messages were sent.

It didn't take long for the marketing enthusiasts of the world to see the potential for commercial advertising to such a huge audience. Unfortunately, this army of marketers quickly extended down to the lower rungs of society, resulting in a growing deluge of unwanted and unsolicited e-mail messages — a.k.a., spam — touting everything from "free" vacations to anatomical enhancement in a pill.

Despite the questionable legislation provided by the U.S. Congress, spam in the United States alone continued to worsen. Just a few years ago, one study indicated that more than half of the messages at that time were "e-mailius non grata".

The Internet community continues its ongoing battle with spam, which takes an incalculable toll upon e-mail users, in the form of wasted time, unwise purchasing decisions, identity theft plows, and the costs of purchasing and updating anti-spam products. In addition, one can only imagine how much time and money has been lost to spam by Internet service providers (ISPs) and other organizations worldwide.

Guess what? We may get to feel the pain all over again!

The Spitting Image of Spam

Just as e-mail use has skyrocketed, Internet telephony is quickly increasing in usage, popularity, and consumer awareness — even by people who don't consider themselves tech savvy or heavy Internet users. Internet telephony — often referred to as "voice over IP" (VoIP) — allows people to make calls over the Internet, rather than the copper wires of the big telephone companies.

As with any technology choice, the cheaper it is, the more popular it becomes. Internet telephony is growing in demand, as more consumers elect to bypass the substantially higher per-minute rates of the traditional telecommunications providers, as well as the taxes and fees imposed upon traditional landlines. This is especially true for non-local calls, because the global scope of the Internet means that VoIP-enabled long-distance calls are just as cheap as local ones.

During 2003, it is estimated that only 10 percent of the voice traffic was handled by VoIP technology. But this could more than double by 2007, at which time it is estimated that there will be over 7 million VoIP phones in use throughout the world. This enormous audience will likely prove irresistible to marketers, who some analysts believe will begin the next wave of unwanted solicitation — in this case, by calling VoIP users. This combination of spam and Internet telephony has been dubbed "spit" or "SPIT".

Because outbound VoIP messages can be made by computers, it is possible for "spitters" to blast out thousands of unwanted messages per minute (with your chosen minute naturally occurring just as you are sitting down for dinner). Aside from the human cost to the victims receiving such calls, SPIT's negative impact upon the Internet could exceed that of spam, since the VoIP gateways could be flooded by these automated SPIT calls, which in turn would significantly degrade the voice quality of legitimate calls.

Digital Dialing for Dollars

Even though there have been few documented cases of VoIP spamming, that may be only the calm before the storm, given that the proliferation of Internet telephony may not yet have reached the tipping point at which the miscreants of marketing get a whiff of the money, and then get busy ruining your evening. It is almost certain that the cyber lowlifes will find this potential gold mine to be irresistible.

The unwanted solicitations could take the form of pre-recorded messages, or they could be made by "humans", trained to sell you the same junk that was attempted via e-mail in years past. It has been estimated that the average business and household could receive well over 100 such messages per day, and the onslaught would see no end as long as the average profit per sale was greater than only 50 cents.

Another threat posed by SPIT is denial-of-service attacks, aimed at the VoIP phone lines and voicemail systems of the targeted organization or individual, and carried out by automated "spit-bots" designed to call VoIP phone numbers repeatedly. Even worse, none of the attacking computers would even have to be in the possession of the human perpetrators behind the attack, once they figure out how to hack into the VoIP software running on the unprotected computers of innocent people all of the world.

While all of the open IP-based phone systems — such as Free World Dialup (FWD) and SIPPhone — are vulnerable to an unsophisticated SPIT campaign, the closed VoIP networks — such as Skype and Vonage — could fall prey to the concerted efforts of skilled hackers. An example of this occurred in 2004, when the Skype system experienced a malicious voice broadcast message.

Hitting Back at SPIT

With the tremendous potential costs to industry and consumers, one would hope that adequate efforts have been made to nip the problem in the bud. Unfortunately, any sort of countermeasures to SPIT face some serious technical and regulatory hurdles.

First of all, anyone can initiate a SPIT call. At the protocol level, VoIP is not secure, in the sense that there is no encryption of data and no authentication of the caller. In other words, the target of SPIT has no way to block incoming VoIP calls based upon identity — such as limiting all calls to a list of known people and organizations. Even if all VoIP calls were to have a type of caller ID, it would not be difficult for hackers to disguise their identity — just as spammers routinely forge "from" headers in spam messages to make them appear legitimate.

In addition, VoIP services are not regulated, and thus Internet users are not entitled to the same protections as conventional phone consumers. While the FCC did implement a federal "no-call" list to help protect Americans from telemarketers — and that effort has been largely and happily successful — there is no such list for VoIP users.

On an individual basis, choosing not to answer any inbound VoIP calls, would serve as only a partial solution, because any ignored SPIT calls would simply end up clogging your voicemail inbox. Then, when you log in to check your messages, you could feel your anger rising as you repeatedly tap the Delete key.

Does that sound familiar?

Copyright © 2006 Michael J. Ross. All rights reserved.

Content topics: