Malware

SPAM and SPIT: what are the dangers?


People are concerned about getting SPIT in their ears these days. Deb Shinder just wrote about how UC might present new opportunities for spammers today. People look at the new means of communicating with a warm fuzzy feeling inside, rushing to adopt new communications technologies for cost savings, better business integration, and so on -- then, with dawning horror, they begin to realize that the spam infection that has so invaded their email inboxes with advertisements for "sexual enhancement" and phishing links to steal our credit card numbers may spread to their telephones and other communications media.

These are good things to think about. Consider the ramifications of your technology choices, and think about how you can protect yourself against what is going to happen. Ponder all the possibilities, all the consequences of changing technologies.

On the other hand, there's a lot more to that than just identifying potential problems. You need to consider how such problems are likely to arise in order to be able to do anything useful with that information. Risk assessment in situations like this, to be accurate and meaningful, has to entail more than just throwing your hands in the air and saying "I can't use anything! It's all just a vector for more attacks!"

Deb did a good job bringing this to our attention. Let's have a look at:

Future Conditions of SPIT

Email spam is as prevalent as it is for exactly one reason: the ubiquity of email. As Deb rightly points out, spitters benefit from a lack of per-call costs when spitting at you, just as spammers benefit from a lack of costs for stamps to spam at you. The reason for this in both cases is that beyond getting basic connectivity to the Internet, there's no charge involved in sending calls (or emails). On the other hand, spitters won't want to get caught any more than spammers do.

That's why we have spam and phishing botnets. TCP/IP traffic can be traced back to its source of origin, which could cause a lot of problems for spitters and spammers. The solution spammers have come up with to this problem is the almighty botnet: infect thousands of MS Windows desktop systems with a spam trojan that uses the infected system's resources to send spam to the world. This not only makes the trail to find a spammer end (usually) at the infected system, but also provides geometrically increased capacity for volume of spam due to the efforts of a single spammer. Without these capabilities, spam wouldn't be anywhere near the problem it is now -- and until spitting can be accomplished in the same way, there won't be this kind of volume of spit, either.

What spam has and spit doesn't is the ubiquity of sending capability. It's easier for a computer to have the ability to send email than to have real internet telephony for a number of reasons.

Limitations of SPIT

  • Perhaps most obviously, VOIP is high-bandwidth, while email is not. VOIP isn't just carrying ASCII text, words rendered into digital code; VOIP has to turn an analog signal into digital code, send it from point to point through multiple gateways without significant data loss, and reassemble an analog signal at the other end. This involves very high bandwidth requirements as contrasted with email, and requires a lot more error correction to do effectively.
  • IP telephony (closely related to VOIP itself, with a lot of overlap) requires IP-to-POTS gateways at least until everyone with a telephone is using VOIP. These gateways can be expensive, and having one on-site defeats the cost savings purpose of IP telephony. As such, people using VOIP for their telephones tend to pay for access from a POTS gateway service provider. This is much cheaper (in most cases, at least) than maintaining a non-VOIP telephone line, which usually costs around $25 per month even without long distance, in my experience. Because of the problem of needing a gateway service and maintaining the VOIP system in your home yourself, self-managed IP telephony uptake will be slow for a while -- too slow for spit botnets to grow in that niche.
  • Home IP telephony services are increasingly being offered by ISPs. You may have noticed that Comcast Cable, for instance, is pushing its VOIP package pretty hard. This moves the entire service off-site, so you don't have to maintain anything but your Comcast (or whoever's providing the complete service) bill. These IP telephony service providers don't go through your computer, though -- they provide you with dedicated VOIP equipment. This means that would-be spit botnet masters are going to have to adapt from the easy spam botnet model to the more difficult spit botnet model, where the platform is an embedded system rather than a general purpose OS notorious for its lax security in average deployments like MS Windows.

The Dangers of IP Telephony

So far, it doesn't seem like spit will be much of a danger for a while. The worst that IP telephony will do for spit in the short term is make long-distance telemarketers a little more profitable. Unless VOIP on the home front moves from the occasional dedicated device to a PC feature in widespread use, we should not see anywhere near the volume of general spit that we have of spam. As IP telephony becomes more popular, though, keep an eye out for changes in the technology.

Once VOIP does start becoming a highly popular means of communication, new problems will arise that seem like solved problems for email spam. For instance, it's more difficult to produce a reliable Bayesian spit filter than a Bayesian spam filter, especially if you want to minimize false positives. At the moment, about the only ways to reliably filter spit would probably be to either disallow all incoming calls (probably not ideal for most people) or use whitelists and blacklists for allowed communication partners (probably more reasonable for home users than for businesses with toll-free customer service lines, but still suboptimal).

Of course, there are other dangers in dealing with VOIP and Internet telephony than just spit. Encryption is important to maintain privacy, for example, because it is a lot easier to tap a phone line when that "phone line" is just a stream of data over the Internet. Incoming calls might contain malware at some point in the future -- or, particularly if we use VOIP systems that try to do too much magic with handling file types (such as running an IP telephony terminus on a current Microsoft Windows machine), we might get malware arriving on the VOIP protocol's port, but getting executed by some other program instead of handed off to the device that demodulates the digital signal to recreate the analog voice in your ear.

Finally, the biggest threat to VOIP systems in the near future -- a threat that doesn't require VOIP to be very popular at all -- may actually be spam (and email phishing). If you're deploying VOIP systems at your place of business (or even at home, being that kind of bleeding-edge technology geek) -- e.g., with an Asterisk server connected to POTS through a gateway service provider -- there are other things to consider for security purposes. VOIP is, like any other communication protocol on the Internet, managed by services running on computers. Just as with those other protocols, these server processes can constitute a security risk, and they need to be protected: firewalled, hidden from port scans, watched by logging programs, and so on. Even if you're not getting spit all over you, you still might get your VOIP server hijacked and turned into an email spam bot.

I find that pretty ironic.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

15 comments
CharlieSpencer
CharlieSpencer

My initial search attempts yielded references to saliva, but I don't think that's what you're talking about. Remember, always define your acronyms and abbreviations the first time you use them in an article :-)

Justin James
Justin James

As you identify, the means to this "SPIT" (first time I heard that was today) are a trickier to botnet due to the way VOIP works. Of much bigger concern to me is the possibility of TXT SPAM. My cell phone, for example, will receive messages sent to phonenumber@vtext.com as a TXT message. All a spammer needs is a list of area codes and if they want to make it waste less bandwidth and CPU, the exchanges set aside for cell phones, and BAM! Everyone's phone is blowing up day and night. No, thank you. At that point, we'd either need to disable the SMS systems, or turn the phone off except to make outbound calls, presumably to a phone that isn't turned off... This is a prospect that frightens me, because it essentially rolls back 10 years of mobile development, puts us back to square one on a lot of things, and ensures that the cell phone is dead except to call the tow truck. J.Ja J.Ja

apotheon
apotheon

If you look closely at the article, you may notice that the first time any uncommon acronym or abbreviation is used (and even for some common acronyms and abbreviations), there's a dotted underline. If you point your mouse cursor at such an underlined term, a "tooltip" will pop up with the expanded definition of the term on graphical browsers such as Firefox. This uses the W3C standard acronym and abbr tags. Give it a try.

Dr Dij
Dr Dij

Spam is made from unmentionable parts of the animal, and high in cholesterol. Fry it for even more fun.. Spit is unhealthy - spreads diseases; there are city ordinances against SPITting. And gross. Usually people spit because they chew tobaccy or just have some horrible taste in their mouth (which they could cure with brusshing and mouthwash). I can't imagine any of these people have a significant other with such gross habits. I guess that's why there are red-light districts. If you're a russian or brazilian hacker gang, SPIT is healthy for you, as it increases your income potential: you can leave voice mails almost for free, it is VOIP 'voice spam'. Since a criminal entreprenour in Miami already hacked into VoIP services to resell them, this will probably be in the mix too. I have this happening with digital fax now - canadian 'gangs' or pump-n-dump send endless FaxSpam (FIT? XAM?) to my phone# at work, which is also fax machine if a fax machine calls it, that emails me the fax if they send one. THey get around phone costs by using various internet fax for free or almost nothing services.

Justin James
Justin James

I get the "tooltip", but I do not see the underline. My experience has been that TR often has some utterly bizarre CSS that works in Firefox, but not in IE... but it is not W3C, either. Strange. Edit: In fact, this page gets nearly 1,400 W3C validation errors! Some of them are truly bonehead mistakes, like "scrolloing=n o". Further examination of the topic reveals that W3C specs do not mandate that the acronym tag get underlined at all, or have any special visual attributes; it is merely a phrase markers, like em is (em works nicely because everyone defines it as italicized by default, but that does not need to be the case!). So, that means that this behavior of acronym must be defined in the CSS sheets. I examined all of the CSS sheets refered to in the blog's source, *not a single one of them* defines a style for the "acronym" tag. Testing in IE 7 shows that the "acronym" tag does not get any special treatment. Firefox 2 only underlines the acronym tag when the title attribute is definine; it will do the popup for other elements with title tags, but not the underline. Therefore, my analysis is the following: * Both IE 7 and Forefox 2 are handling this in a standards compliant fashion. * Forefox 2 has a built-in CSS sheet that is friendlier than IE 7's in this particular case. Edit #2: Bloody brilliant. I always forget that TR's editor is too dumb to escape the less than or greater than sign... J.Ja

CharlieSpencer
CharlieSpencer

I saw the underline when I first read the article but I was clicking on it and getting nothing. Apparently I didn't hover over it long enough. Standards are great if you're aware of them, but until now I hadn't encountered this one.

Justin James
Justin James

... not only does the page you linked to say it works in IE, it makes it clear that the defult behavior in Firefox is Firefox specific, and shows how to do it in IE: "As an added bonus, you can change the look of all your acronyms using cascading style sheets. This works in all tools, not just Radio. Here is the rule I use to produce the dotted underline in all browsers (not just Mozilla):" J.Ja

Justin James
Justin James

I tested this yesterday, that is entirely incorrect. IE simply implements a different default style than Firefox for this tag, which is perfectly legal in the HTML DTD that this page uses. I would also suggest you run the pages on this site through the W3C's HTML validator before you try to stand on W3C standards as a defense of something not working, in the future. It looks bad to invoke them given the site's failure to pass validation. My personal favorite is "scolling=n o" on an attribute for an iframe... J.Ja

apotheon
apotheon

IE supports the <acronym> tag, but not the <abbr> tag. Even the page to which you linked says so.

Justin James
Justin James

1) i is deprecated, em is current standard this is because of reason #2. 2) HTML is moving to be a more semantic, and less presentation, oriented system. i is presentation, it says "make this italic". em is semantic, it says, "this should be emphasized". It just so happens that all browsers implement this by default as making it italic. This also allows style sheets that implement the concept of "emphasis" is ways other than italics (different color, bolding, whatever) depending on the user's needs and device capabilities. For example, a sreen reader can "see" "emphasis" and put stress in the voice, but italics don't always mean "this is important", they could mean "this is a magazine title." J.Ja

Absolutely
Absolutely

Why do people use 'em,' when 'i' achieves the same result with fewer keystrokes? Oh, there [i]is[/i] a very important point, and I'll bring it up, a little later. For now, these bits of trivia are amusing me.