Spammer

munchdrabNetworking and Communications

Oct 30, 2013 (3 years and 10 months ago)

82 views

Detection and Mitigation of Spam in IP
Telephony Networks using Signaling
Protocol Analysis

MacIntosh, R Vinokurov, D

Advances in Wired and Wireless Communication, 2005
IEEE/Sarnoff Symposium on

April 18
-
19, 2005



2

Outline


Introduction


Problem description


Voice Spam specifics


Anonymity


SPIT scenarios and implications for signaling


Statistics for signaling


Conclusion


Reference

3

Introduction


The proposed approach is based on the
simple analysis of the VoIP signaling
messages (set
-
up and termination requests).



Once implemented on the call server, the
method enables service providers or
enterprises to block external spam sources
targeting their voice networks.

4

Problem description


Voice Spam specifics


Spam over IP Telephony (SPIT)


Unsolicited voice messages


Combination of a telemarketing call and an email spam
message


Consists of two parts:
signaling

and
media data


Analyzing data content may be not only

impractical
but also not legal in many case


Detect the call as spam before the actual call happen.


ie: during signaling exchange stage.

5

Anonymity



VoIP technology provides freedom for aliases
and anonymity services.



The incoming calls can be anonymous in that
fact the recipient is unable to determine the
actual caller.

6

Anonymity (cont)

Spammer

Proxy1

Proxy2

User

SGW1

SGW2

B2BUA

SS7

Regular Header Field

No CallerID, Contact:B2BUA

From: random


alias

Contact:

Session counterpart

From: anonymized or


non
-
displayed

No CIN

No CallerID,

From: GW2, Contact: GW2

Via: ncnu.edu

Contact:
b2b@ncnu.edu

Via: sell.com

From: random

Contact: spit@sell.com

Via: sell.com

Contact: spit@sell.com

Via: gw2.carrier.net

From: ua@gw2.carrier.net

7

SPIT scenarios and implications for
signaling


The detection of spam is based on three main
constituent:


Signaling routing data of the voice spam.


Spam calls are unidirectional.


Spam calls termination behavior is statistically
consistent.


Each call’s time and destination must be kept
for further analysis

8

SPIT scenarios and implications for
signaling (cont)


Five states:


Persistent telemarketer


Call setup request go from the spammer to recipients,
whereas termination request flow from recipients to
the spammer.


ie: Telephone polls


Timer
-
conscious spammer


The telemarketer tries to cover as many recipients as
possible, and hangs up when he figures out that his
offer is unlikely to be accepted.


Call setup and termination requests go the same
direction from the spammer to recipients


Ue:Fax broadcasting falls into this category.

9

SPIT scenarios and implications for
signaling (cont)


Prerecorded message


SPIT is being distributed by an automated
calling engine as a played message.


call setup and termination requests go the
same direction from the spammer to recipients.


Message deposited to the voice mailbox


Can either leave the message or terminate the
session as soon as presence of voice mailbox
is detected.


setup and termination requests go from the
spammer to the recipient’s side

10

SPIT scenarios and implications for
signaling (cont)


Calls set by third party


11

Statistics for signaling


Every VoIP signaling protocol has its specific
session setup and termination requests.


For SIP, these are INVITE and BYE


respectively


Detection statistics


Reaction to detected SPIT


Limitations of the identity
-
based statistics



12

Detection statistics


Monitor the VoIP signaling traffic on the
recipients’ access domain Call Server (CS)

Spammer

Local
monitoring
module

Monitored

network

Call
server

user

user

13

Detection statistics (cont)


Maintain four stateless counters for the
number of times that set
-
up (SET) and
termination (TER) requests passed out and
into the monitored network for the calls


14

Detection statistics (cont)

15

Reaction to detected SPIT


Warning


display the text warning on the phone, use
special ringing tone


Call delay


switch the caller to the recipient’s voice mail,
reject the request and report the callerID and
the call at a later time as a missed one


Call cancellation


drop the call setup on behalf of recipient

16

Limitations of the identity
-
based
statistics


Spammer can try to hide his real identity from the
recipient.



Spammer could be a temporarily assumed username.



An assumption that could be made is that spammer
is constant for a reasonable time period; however this
is the most serious limitation for any approach based
on statistics per user.

17

Conclusion


The SPIT detection and blocking method
presented in this paper has a number of


technological advantages.



It relies exclusively on the local policy of the
service provider or enterprise protecting its
voice network, and can be implemented as a
stand
-
alone module in various elements of
the voice network.

18

Reference


Signaling system 7 (SS7)


Encyclopedia of Technology Terms



RFC 3515


The Session Initiation Protocol (SIP) Refer Method



RFC 3398


Integrated Services Digital Network (ISDN) User Part (ISUP) to
Session Initiation Protocol (SIP) Mapping




B2BUA (
draft
-
marjou
-
sipping
-
b2bua
-
00
)


Requirements for a Session Initiation Protocol (SIP) Transparent
Back
-

To
-
Back User
-
Agent (B2BUA)