Will SPIT be Worse than Spam?

While some of us rely more on email than voice, for most users, voice is still the primary means of communication. A phone call is more urgent, interrupting, and attention-getting than an email. Many email users check their email at intervals, rather than letting it interrupt them each time a message comes in. This is in contrast to the phone, which when it rings, most users answer or at least check to see who the call is from. Most users don't turn off their phone or put it in a do not disturb mode, as you can easily do with email (or instant messaging). Because of this, when the phone rings, if it is SPIT, it will immediately cause some amount of disturbance to the user. This is true even if the user simply takes their attention away from their work at hand and checks caller ID. With SPIT, it is conceivable that the phone will ring as often as the average user receives an email SPAM. Imagine this occurring in cubicle farms, where phones ring constantly. Even if the SPIT call is not for you, it is possible that all your surrounding cubemates will be constantly getting calls, thereby disturbing everyone in the office.

As with email SPAM, it is very unlikely that SPIT calls can be identified based on caller ID and other information in the signaling. White lists and black lists may be of some use, but won't be any more useful than they are for email SPAM.

Another issue with SPIT is that you can't analyze the call content before the phone rings. Current SPAM filters do a reasonable job of blocking SPAM. Email has no requirement for real-time delivery of a message. The message, along with all its attachments, arrives and can reside on a server before it is delivered to the user. While there, the entire message is available to be reviewed to determine if it is SPAM. This is in contrast to SPIT. With SPIT, the call arrives and you have no idea what its content is. It might be your spouse or yet another Viagra advertisement. Odds are that the caller ID will be spoofed, so you won't know who the call is from or what it is about until you answer it. Many users will then be forced to answer calls only from sources they recognizeother calls will be relegated to voicemail.

Of course, calls that arrive when the user is not around will also go to voicemail. SPIT left in voicemail is better than listening to the call in real-time, but it's still an issue. Imagine coming in and having as many voicemail messages as you do email messages. At least with email, you can see the headers and bodies quickly in an email client such as Outlook and eye-ball email SPAM and delete it. The same may be true with SPIT, if your voicemail messages show up in Outlook or some other sort of unified communication client. But those users who access their voicemail through a phone will have a very difficult time listening to and deleting SPIT. They will have to step through each message, listen to a portion of the message, and delete those that are SPIT.

As with email, those calls that are saved to voicemail can be converted to text and analyzed to determine if they are SPIT. Those calls determined to be SPIT can be deleted or moved to a "junk" mailbox. Unfortunately, keyword recognition software is far from perfect. Large vocabulary systems are available, but they only recognize words in their vocabularies (which are admittedly large) and are susceptible to variances in word pronunciations, accents, and languages. A clever restatement of "Viagra," while still easily understandable to a human, could trick a large vocabulary system. Large vocabulary systems are also computationally intensive and require quite a bit of horsepower to analyze calls. There are other word-recognition technologies, including those based on phonemes. This technology breaks words into elemental phonemes, which represent the various sounds that a human can utter. This technology handles accents and languages much better than large vocabulary systems. It is also less computationally intensive . The bad news though is neither of these approaches is perfect and their use will result in some number of false positives and negatives .

The ENUM directory service simplifies the mapping of a traditional phone number to a SIP URI. Because it is very easy to "war dial" a list of numbers , it is possible for an attacker to leverage ENUM to dial a long list of SIP users.