Starting last July, stories started popping up in the IT media about the confluence of unwanted or unsolicited e-mail—aka spam—and IP based telephony. This has led to one of the less appetizing acronyms around (it begins the title of this tip) to describe what must surely be an unpleasant side effect of mingling the ease of access and ubiquitous reach of the Internet with telephone systems.
For the time being, SPIT is more of a stalking horse than a real threat, because most voice messages require that streaming audio be recorded to work. This means a spammer has to stream one minute's worth of audio to leave a one-minute message, which represents an unfavorable and linear one-to-one consumption of spammer resources to lock up an equal amount of target resources.
And in fact, enterprise VoIP monitoring and management company Qovia has recently applied for a patent on technology that permits them to broadcast voicemail messages over VoIP, which opens the door for the kinds of resource economies (small consumption of spammer resources result in massive consumption of target resources in the aggregate) that make voicemail spamming worthwhile. Thus, the company has found itself in the unique position of having to develop SPIT-blocking technology at the same time that it is developing the very technology that could make SPIT a possibility.
But since one company is already far enough along to be filing a patent (and to be developing counter technology at the same time), it's by no means inconceivable that others will develop mechanisms to permit voicemail to offer yet another channel for spam distribution. At present, however, the threat is more of a nagging possibility than an immanent danger to VoIP users.
That said, Internetnews.com reports that the Session Initiation Protocol (SIP) most commonly used for VoIP implementation does suffer from vulnerabilities that CERT reported as long ago as January, 2003, that include remote code execution and other weaknesses. Likewise, the UK National Infrastructure Security Co-Ordination Centre has issued similar advisories about the H.323 protocol also used for real-time voice, video, and data transmission, primarily for virtual teleconferencing applications.
Though SPIT may not yet be a clear and present danger, it's real enough that those developing technology that could enable it to be broadcast also feel compelled to develop suitable counter-technologies to keep such capability from being misused.
For more information on this topic, please check out the following links: Amy Limbert "Qovia pre-emptively tackles VoIP spam" Business Gazette, July 9, 2004 Ryan Naraine "Protocol Flaw Puts VoIP Users at Risk" Internetnews.com, January 13, 2004 "Patent Filed for Voice Blocking Technology," Virus Bulletin, June 29, 2004 "Blocking Internet Voice Spam" Maryland Daily Record, September 24, 2004.
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publising's Exam Cram 2 and Training Guide series of cert prep books. E-mail Ed at firstname.lastname@example.org.