Security experts are in total agreement that the emergence of SPIT (Spam over Internet Telephony) is inevitable.
No official cases of SPIT have yet been documented, but that’s largely because VoIP adoption has yet to reach the critical mass needed to make SPIT profitable to spammers.
“No one is really running a large-scale VoIP service that can reach all users in cheap manner yet. But at the end of this year, there are large providers who are connecting to PSTN [analogue telephone networks], and these [will be able to] handle thousands of calls per minute,” said Shahadat Khan, CTO of Vancouver-based Eyeball Networks.
The company is developing a product that will allow VoIP providers to make a pre-emptive strike against SPIT. Eyeball recently announced that its patent-pending anti-SPIT server will be available at the end of 2005.
Features of the server include caller authentication, unique caller limits, dynamic caller monitoring and VoIP spam-filtering algorithms. The product is primarily targeted at VoIP service providers, although there are also features such as parental controls that will benefit their customers.
The anti-SPIT server essentially works by monitoring calling patterns to establish a baseline, then using pattern analysis to apply controls when calling patterns deviate from defined parameters. These include volume, rate, time of day, location and so on. VoIP providers and their users can select the parameters they want to use to filter inbound and outbound calls.
For example, a typical threshold might be to monitor for users calling more than ten numbers per minute. If the observed rate is higher, chances are good that the calls are automated spam. If Eyeball’s warning systems are triggered, users are not cut off. “We do it gracefully,” said Khan.
The system will challenge the user with a test, such as pressing a sequence of keys to resume calling. A computer will fail the test, but a human will pass, and can request a higher quota if there is a legitimate need. “We make it impossible to generate the kind of volume spammers need,” said Kahn.
In anticipation of “visual spam”, Eyeball also offers video filters that monitor for potential abuses by detecting the amount of flesh-tones in an image. Video phones are already on the market, said Kahn, and applications like MSN messenger can send live images. “This is already a big source of problems. If you take a call from a stranger, you don’t know what kind of call you’re getting.”
The anti-SPIT server sits next to the VoIP server on the network, and works as an add-on in accordance with established standards for Cisco and other common VoIP servers. Eyeball is currently beta-testing its product with two VoIP providers to tweak and tune the parameters to address the types of problems they typically encounter.
Notwithstanding experts’ predictions that the emergence of SPIT is imminent, most businesses are not that concerned, and consumers not at all, said George Goodall, a research analyst at London, Ont.-based Info-Tech Research Group. Human nature being what it is, people are more concerned with existing problems.
“We haven’t seen a lot of SPIT in the marketplace or on the street, and already there are already vendors with solutions for a theoretical problem. So SPIT may be inevitable, but the solutions are staying ahead of the problem,” he said.
So should VoIP providers look into these anti-SPIT products now, or wait and see? “I would always recommend a proactive approach,” said Goodall.
“Once the problem occurs, it becomes ingrained and popular, and will be more difficult to remove after the fact. Providers should run their numbers on the cost-justifications, and build a business case for it right now.”