[VOIPSEC] Confirmed cases of SPIT
jcaldwell at SonicWALL.com
Tue Mar 14 20:48:36 GMT 2006
>Re: [VOIPSEC] Confirmed cases of SPIT
>Jon Callas writes:
>Does this matter?
>My home phone number gets spam faxes. Often / usually in the wee
>hours. It happens often enough that it is our practice to take the
>phone off the hook. Nothing can be done about it, just ask the phone
>company. Why should I care about SPIT, given that I'll bet if I
>switch my phone number to VOIP, nothing will change, and if I get
>*any* new phone number, it will go away?
Current methods of unsolicited telemarketing revolve around use of POTS
dialing and switching through a phone company to cause a target phone to
ring. In some cases, if a target phone is answered, the originating
call is transferred to a human telemarketer to continue the call. In
other cases, the system is used to simply deliver a pre-recorded,
unsolicited message. In either case, it is necessary that the initiator
be 'switched' by the phone company over the limited number of lines the
initiator has available. This results in governing the effective rate
at which an unsolicited caller site can reach targets.
With VoIP, however, and appropriate equipment it is possible to generate
thousands of concurrent calls without the limiting factor of an
intervening phone company switch.
Methods such as Number Harvesting discussed by the VOIPSA "VoIP Security
and Privacy Threat Taxonomy" Working Group could be used to enhance the
effectiveness of such an approach.
Although we have seen a good deal of press and talk regarding SPIT, I am
interested in actually hearing of confirmed cases where a SPIT attack
was experienced. This is in the interest of separating hype from fact.
More information about the Voipsec