8 Jan 2008 15:53
Re: Fighting SPIT on a cell phone
Pars Mutaf <pars.mutaf <at> gmail.com>
2008-01-08 14:53:54 GMT
2008-01-08 14:53:54 GMT
[sorry for cross-posting] Hello, I want to leave my cell phone number (SIP URI) on a discussion forum, or web page, blog, craigslist etc. But wish to avoid SPIT (SPam over Internet Telephony). A solution is presented below (with variations called weak, strong and indirect). Comments are appreciated. Regards, Pars Mutaf 1. Weak solution I leave the IP address of my cell phone but not a SIP URI. Interested party sends a request to my phone. My phone generates a random SIP URI and returns a different SIP URI to each querier. If I receive SPIT to the SIP URI 'x', then I can cancel it. Since each querier is returned a different SIP URI, legitimate parties can continue to call me or send SMS. Since the SIP URI 'x' was canceled, a SPITer can request another one and still send me SPIT. To avoid this attack, the querier can be requested to solve a hard challenge e.g. a CAPTCHA. A SIP URI will be returned only after the querier user provided the solution. The difficulty of the CAPTCHA can be adaptively tuned by the target host. When done, i.e. the desired phone call is received, the target user can stop receiving requests to the indicated IP address. 2. Strong solution I leave the IP address of my phone but not a SIP URI. I want to receive phone calls or SMS only from people that I know. Interested party sends a request to my phone. My phone displays a message with the requester's name e.g.: "Alice Collins requested phone number. Accept? [YES/NO]" If I accept, my phone generates a random SIP URI and returns it to the querier. This solution requires human name certification. An attacker can send continuous bogus requests to the target IP address and make the target phone continuously display the above message, annoying the target user. This attack can be defeated by requesting the querier user to solve a hard CAPTCHA before his request can be displayed at the target host's screen. The difficulty of the CAPTCHA can be adaptively tuned by the target host. 3. Indirect solution (using e-mail) I leave the IP address of my cell phone and a randomly generated e-mail address. The mobile host (cell phone) is its own mail server. The mail is routed to the e-mail address at the indicated IP address. The querier can send me an e-mail with a brief text explaining why a SIP URI is requested. The e-mail content will be limited to several lines, reducing space for spam. E-mails containing an URL can be dropped by the host since the querier is not supposed to indicate an URL to request a SIP URI. Similarly, emails containing an image can also be dropped. == Interested folks please subscribe to: https://www1.ietf.org/mailman/listinfo/humanresolvers
RSS Feed