[VOIPSEC] SPIT=telemarketing over VoIP - do we need a betterterm?(was Re: Confirmed cases of SPIT)

McMillon, Matt Matt.McMillon at qwest.com
Thu Mar 16 11:45:22 CST 2006 

But from a definition perspective, does the fact that a mass mailing
campaign (sent via snail mail) is computer generated make it SPAM?
Computer based marketing databases combined with word processing
technology made mass mailing campaigns significantly cheaper and more
efficient (and available to all), but did that really create a new
problem (i.e. new terminology) or did it make an existing one worse? 

I would argue that SPIT should be defined only within the context of
VoIP and threats that cross convergence point should be defined
differently.  That being said, I don't think an operations person trying
to keep up with VM storage (VoIP, PBX or POTS based), or the end-user
that has to clean out 600 VMs a day, is going to care--but the person
mitigating the threat does.

>From a mass marketing perspective, "success" is defined by very small
percentage of respondents (1%-3% or less) so anything that significantly
increases the number of people who receive the marketing material
cheaply and quickly is going to be very popular with marketing folks, as
well as political organizations.  Doesn't mean that purveyors of online
porn and the like are going to switch to SPIT from SPAM, however.

Matt

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Smith, Donald
Sent: Thursday, March 16, 2006 9:58 AM
To: dan_york at Mitel.com; Eric Chen
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] SPIT=telemarketing over VoIP - do we need a
betterterm?(was Re: Confirmed cases of SPIT)

Good points Dan, one that I think was missed it the ability to make
those calls to ANY destination using VoIP as the source. I don't think
the advertisers will care what type of phone you have they will just
want to reach as many people as possible as cheaply as possible. I have
seen ONE case where voip was almost certainly the mechanism used. It was
a recorded message (of course) and it "dialed" 100's or 1000's of phones
per min.

In that case one of the destination was an office pbx and it was unable
to handle the load.

Rate limiting the number of calls any ip can make in a minute will
prevent this type of abuse from a single ip.
It will not prevent botted pc's with softphones being used in much the
same way as botnets are used to send spam.

Security through obscurity WORKS against some worms and other tools:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of dan_york at Mitel.com
> Sent: Thursday, March 16, 2006 9:20 AM
> To: Eric Chen
> Cc: voipsec at voipsa.org
> Subject: [VOIPSEC] SPIT=telemarketing over VoIP - do we need a better 
> term?(was Re: Confirmed cases of SPIT)
> 
> Eric Chen wrote:
> > Despite the incidents, I wonder how effective SPIT is from a 
> > marketer's point of view.  In a spam email, the advertised
> website is
> > only one click away, but with SPIT, spammers would have to be more 
> > creative using
> 
> > only voice messages.  Simply asking people to write down a URL and
> access
> > later doesn't sound effective.  (Maybe effective for advertising 
> > pay-per-call numbers, if they are available on VoIP)
> 
> I found this note from Eric fascinating in that it points out a basic 
> problem with the language we are using here.  The term "SPIT" has 
> entered our jargon and we say it is "SPam for Internet Telephony" but 
> yet it actually has really nothing whatsoever to do with the "spam" 
> that we are used to in e-mail.
> 
> It does make me wonder how many folks upon hearing the term "SPIT" 
> will think that somehow we will now be receiving messages about 
> various performance-enhancing products, watches, sons and daughters of

> deposed dictators, better mortgages, and various stocks that are sure 
> to bring in millions of dollars.
> 
> Yet, to me and others with whom I have discussed this, "SPIT" 
> is simply the sending over VoIP of all the standard telemarketing 
> calls that we all have been receiving - usually at dinner or other 
> inconvenient times - selling us potential vacation getaways, 
> insurance, better mortgages, magazine subscriptions, soliciting 
> donations for (questionable) charities, or whatever other products or 
> schemes people think we will buy or fall for.
> 
> (And I would be very interested to know if others have different
> interpretations.)
> 
> In my mind, there's no fundamental difference *to the end
> user* between the type of telemarketer calls that interrupt my dinner 
> now over the PSTN and the type that would occur over my VoIP phone.  
> Both interrupt my dinner and both are trying to sell me stuff that I 
> probably don't want.  (And yes, you can tell by my attitude that I'm 
> on the US do-not-call list.)
> 
> The only difference is on a *technical* end where it is just that much

> easier for the telemarketer to make the calls.
> Instead of having to pay for all the PSTN-connected lines, equipment, 
> etc., and having the time delays inherent in the PSTN connection 
> sequence, a telemarketer just needs a big fat pipe and appropriate 
> software.  (And needs there NOT to be appropriate identity standards 
> that might prevent their actions.)
> 
> Other than that, it's the same unsolicited direct calling we get 
> today.
> 
> But it does point out a difference in our language.  At least here in 
> North America, it seems that we generally use these terms for 
> unsolicited direct
> 
> marketing in various forms:
> 
> 1. Regular postal mail  -  "junk mail"
> 2. Phone (PSTN)         -  "telemarketing call" or "telemarketer"
> 3. E-mail               -  "spam"
> 4. Instant messaging    -  "SPIM"   (have also seen this just called 
> "spam")
> 5. SMS                  -  ??   (just "spam" or "SMS spam"?[1])
> 6. VoIP                 -  "SPIT"
> 
> Yet (to me, at least) #6 and #2 are essentially the same 
> thing.   Do we 
> need to try to use a different term?  (As if the headline writers of 
> the world would let us retire a term as great for them as "SPIT"!)  
> Any suggestions?
> 
> Comments?  Thoughts?
> Dan
> 
> [1] Remember that I'm in North America where SMS isn't as big as the 
> rest of the world... so I don't honestly get exposed to spam over SMS.
> 
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list