ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

December 2006, Volume 9/ Number 12

Return to IT Table of Contents

Spam for Internet Telephony: Hype or Reality?

By Dan York


One morning, you walk into your office and find that you suddenly have 100 new voicemail messages waiting for you. Giving a quick listen, you find that none are from your colleagues � instead, you are being offered vacation homes in Florida, better auto insurance rates, new options for home mortgages, and more. Moreover, you find out that: a) all the other employees in your office have received the same type of messages; and b) your voicemail system has run out of room and none of you can receive any more messages. Congratulations! You have just become a victim of Spam for Internet Telephony (SPIT), a new term for the age-old practice of telemarketing.

Is this nightmare scenario a reality? Or is it hype from vendors wanting to sell security solutions?

The answer today is that the threat is more theoretical than real � but that will definitely change in the time ahead as we move to more interconnected systems.

Before we examine SPIT, though, let�s take a step back and look at the overall issue of unsolicited telephone calls over the standard Public Switched Telephone Network (PSTN). Today, telemarketers are limited in the number of calls they can make by two major factors: cost and the PSTN�s inherent latency. To do large-scale telemarketing, there is a very real cost for the required PSTN trunk lines, telephony equipment, etc. There is also the time required for each call to be set up over the PSTN. Both factors can certainly be addressed � the cost continually decreases and automated dialers are available � but they do impose limitations on the number of simultaneous connections that a telemarketer can make.

But what happens when we remove those limitations? What if the cost to initiate the calls were close to zero? And what if hundreds or thousands (or more!) of calls could be initiated at the same time?

This is the great fear of SPIT. Here is how it could work. Instead of connecting to the PSTN, the telemarketer�s system would use the Internet to bypass the PSTN and make calls directly to other Voice-over-IP (VoIP) phone systems using a protocol such as the Session Initiation Protocol (News - Alert) (SIP). The basic technique is that the attacker would send a SIP �INVITE� message to various SIP addresses at a company. For instance, they might try extension numbers and just start iterating through �[email protected],� �[email protected],� �[email protected],� etc. Whoever answered, either a person or a voicemail system, would then be sent an audio stream with whatever message the telemarketer wants to deliver. In fact, after successfully making a connection, a smart telemarketer would probably immediately initiate another connection to deliver a second message for another potential client. And a third. And a fourth, etc.

The cost to the telemarketer is essentially only that of their Internet bandwidth, which, these days, continues to decline dramatically. No special hardware is required � any commodity PC or server can run the required software. Additionally, there is basically no latency in call initiation as SIP INVITEs are simply small packets very similar to those your web browser might send to request a web page. Literally thousands � or millions � of such packets could be sent in a minute. Streaming the audio will still take time and consume bandwidth, but this is again purely a matter of the telemarketer obtaining more Internet bandwidth.

The primary barrier to this being a threat now is the fact that today almost all enterprise VoIP phone systems are not connected to the Internet in such a way that would allow calls across the Internet from random endpoints. Instead, calls between enterprises must travel over the PSTN, turning the PSTN into a de facto �SPIT firewall� between companies and organizations. Even most companies using �SIP trunks� out to Internet Telephony Service Providers (ITSPs) today are primarily using them as a cost-saving tool in place of regular trunks to the PSTN. Those companies have replaced their PSTN trunk lines with a �SIP trunk� across their Internet connection out to an ITSP who in turn is connecting them to the PSTN. However, calls outside their company still go across the PSTN.

This all starts to change, though, as enterprises first begin �peering� with other enterprises to allow calls to go directly across the Internet from one enterprise to the other and then take the next step to allow calls to come across the Internet from random SIP endpoints. (This can be done on the PSTN today where anyone can basically call any other number.)

The good news in all of this is that there are people out there working on ways to prevent SPIT. The Internet Engineering Task Force (IETF) is exploring technical solutions, while groups like the VoIP Security Alliance (News - Alert) (VOIPSA) are assembling policy and best practices recommendations. Several security vendors offer products to monitor network traffic for potential SPIT attacks and some service providers are working to provide this protection on their networks.

In the end, how do you prevent your VoIP users from drowning in SPIT? If your VoIP systems today do not allow calls from unauthenticated SIP devices, odds are that SPIT is not something for you to worry about today. However, as you look at SIP trunking across your Internet connection or at running SIP proxy servers on the edge of your network, you need to definitely be asking your service providers and vendors what they are doing to prevent SPIT from flooding your network.

No one wants to come in to receive a flood of unsolicited phone calls or have a voicemail inbox with hundreds of bogus messages, nor suffer the business loss of having their voicemail full. As we move to an increasingly interconnected world of VoIP, the challenge for all us will be ensuring that we can allow legitimate callers to reach us, while limiting the unsolicited calls to an acceptable level. IT

Dan York, CISSP, chairs Mitel (News - Alert)�s Product Security Team and is also the Best Practices Chair for the Voice-over-IP Security Alliance (VOIPSA).

Mitel is a leading global provider of business communications solutions and services. For more information, please visit

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas