SPIT is a social issue that enterprises have limited ability to affect. Some solutions are the responsibility of the larger VoIP (and SIP) community. If the VoIP community does not work together to address SPIT before it is a big issue, enterprises will be forced to adopt "traditional" mitigation strategies that are expected to be similar to those adopted for other voice security issues and/or email SPAM. Some of the countermeasures the VoIP community and enterprises can take are discussed here.
One of the keys to addressing SPIT is the ability to determine the identity of a caller. The caller's identity is presented in the From: SIP header. Unfortunately, as we have shown, it is trivial to spoof this value.
If the true identity of a caller can be determined, certain simple countermeasures, such as black and white lists, can be much more effective. For identities to be assured, all users within a SIP domain must be authenticated. RFC 3261 requires support for digest authentication. When coupled with the use of TLS between each SIP user agent and SIP proxy, digest authentication can be used to securely authenticate the user agent. Next, when this user agent sends a call to another domain, its identity can be asserted.
The Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) (draft-ietf-sip-identity-05) Internet draft proposes enhancements for authenticated identity. In a nutshell , the proposed approach includes an authentication service (normally resident with the SIP proxy), which authenticates the sender of an INVITE request, computes and signs a hash of the From: and other fields, and inserts the result in a new header field. This field can be checked later to authenticate the identity of the sender.
For authenticated identity to work, it must be broadly implemented. Enterprises, as well as service providers, must implement it. It might not, however, be realistic to expect this to happen.
Countries can pass laws that prohibit SPIT. The U.S. currently maintains "do not call" lists that are effective in preventing telemarketers from calling users who have placed their numbers on these lists. This works because a telemarketer who violates the "do not call" list can be identified and fined. Whether or not this would work for SPIT is debatable, as no such mechanism exists for email SPAM.
When SPIT becomes an issue, enterprises will address it in a manner similar to email SPAM, namely by deploying SPIT mitigation products. Several companies, including SecureLogix (http://www.securelogix.com), Borderware (http://www.borderware.com), and Sipera (http://www.sipera.com), offer SPIT mitigation products and services. Some of the SPIT countermeasures a product might employ are described here:
Black Lists/White Lists Black lists are a collection of addresses of known attackers. A call from a source on the black list is immediately disallowed . Black lists are not effective with email SPAM and are likely to be of only limited use for SPIT. The problem is that source addresses are very easy to spoof. Attackers can also obtain new addresses/ identities easily.
White lists are collections of addresses that are known to be goodthat a user is willing to accept calls from. White lists require a way for a user to indicate that they want to receive calls from a new source. Once a user elects to receive calls from the source, their address is placed on a white list and subsequent communications are allowed. Attackers can't change their addresses to get around white lists. However, if they know an address on the white list, they can spoof it and make calls.
Approval Systems An approval system works along with white and black lists. When a new caller attempts to place a call to a user, the user is provided with some sort of prompt to accept the attempt. The user can either accept or reject the request, thereby placing the caller on the black list if denied or the white list if approved. This approach might help some, but could also just flood a user with approval requests .
Audio Content Filtering As discussed previously, SPIT call content can't be analyzed unless it has been saved to voicemail. Once saved to voicemail, speech-to-text technologies, while not perfect, can be used to convert the audio to text that can be searched for SPIT content. Voicemail messages with SPIT content can be deleted or moved to a user's junk mailbox.
Voice CAPTCHAs/Turing Tests Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHAs) or Turing Tests are challenges or puzzles that only a human can easily answer. A common example is the text messages embedded in an image with background noisemost humans can see the text easily, but it is very difficult for a computer to do so.
Voice CAPTCHAs are similar. When a call comes in, the caller will be greeted with some sort of challenge. This may be as simple as a request to type in several DTMF codes, such as " please type in the first three letters of the person's name," or it could be more complex, such as "please state the name of the person you want to talk to." The prompts could be stated in the presence of background noise. These tests are easy for a human to respond to, but difficult for a computer.
If the caller responds correctly to the CAPTCHA, the call will be sent through to the user. If the caller cannot meet the challenge, then the call could be dropped, sent to the user's voicemail, or sent directly to a junk voicemail box. The user could or could not receive some sort of feedback, such as a distinctive sound on the phone, alerting them to possible SPIT.
Voice CAPTCHAs can be effective in addressing SPIT, but will have the side effect of irritating legitimate callers . This could be major problem if, for some reason, the caller had to repeat the challenge multiple times. This might occur, for example, on a poor connection from a cell phone.
Voice CAPTCHAs are best used in conjunction with a policy and/or black lists and white lists, where they are only used for new or suspect callers.