Tip

SPIT, or Spam over Internet Telephony

Starting last July, stories started popping up in the IT media about the confluence of unwanted or unsolicited e-mail—aka spam—and IP based telephony. This has led to one of the less appetizing acronyms around (it begins the title of this tip) to describe what must surely be an unpleasant side effect of mingling the ease of access and ubiquitous reach of the Internet with telephone systems.

For the time being, SPIT is more of a stalking horse than a real threat, because most voice messages require that streaming audio be recorded to work. This means a spammer has to stream one minute's worth of audio to leave a one-minute message, which represents an unfavorable and linear one-to-one consumption of spammer resources to lock up an equal amount of target resources.

And in fact, enterprise VoIP monitoring and management company

    Requires Free Membership to View

Qovia has recently applied for a patent on technology that permits them to broadcast voicemail messages over VoIP, which opens the door for the kinds of resource economies (small consumption of spammer resources result in massive consumption of target resources in the aggregate) that make voicemail spamming worthwhile. Thus, the company has found itself in the unique position of having to develop SPIT-blocking technology at the same time that it is developing the very technology that could make SPIT a possibility.

But since one company is already far enough along to be filing a patent (and to be developing counter technology at the same time), it's by no means inconceivable that others will develop mechanisms to permit voicemail to offer yet another channel for spam distribution. At present, however, the threat is more of a nagging possibility than an immanent danger to VoIP users.

That said, Internetnews.com reports that the Session Initiation Protocol (SIP) most commonly used for VoIP implementation does suffer from vulnerabilities that CERT reported as long ago as January, 2003, that include remote code execution and other weaknesses. Likewise, the UK National Infrastructure Security Co-Ordination Centre has issued similar advisories about the H.323 protocol also used for real-time voice, video, and data transmission, primarily for virtual teleconferencing applications.

Though SPIT may not yet be a clear and present danger, it's real enough that those developing technology that could enable it to be broadcast also feel compelled to develop suitable counter-technologies to keep such capability from being misused.

For more information on this topic, please check out the following links: Amy Limbert "Qovia pre-emptively tackles VoIP spam" Business Gazette, July 9, 2004 Ryan Naraine "Protocol Flaw Puts VoIP Users at Risk" Internetnews.com, January 13, 2004 "Patent Filed for Voice Blocking Technology," Virus Bulletin, June 29, 2004 "Blocking Internet Voice Spam" Maryland Daily Record, September 24, 2004.


Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publising's Exam Cram 2 and Training Guide series of cert prep books. E-mail Ed at etittel@techtarget.com.


This was first published in November 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.