SPAM and SPIT: what are the dangers?

People are concerned about getting SPIT in their ears these days. Deb Shinder just wrote about how UC might present new opportunities for spammers today. People look at the new means of communicating with a warm fuzzy feeling inside, rushing to adopt new communications technologies for cost savings, better business integration, and so on -- then, with dawning horror, they begin to realize that the spam infection that has so invaded their email inboxes with advertisements for "sexual enhancement" and phishing links to steal our credit card numbers may spread to their telephones and other communications media.

These are good things to think about. Consider the ramifications of your technology choices, and think about how you can protect yourself against what is going to happen. Ponder all the possibilities, all the consequences of changing technologies.

On the other hand, there's a lot more to that than just identifying potential problems. You need to consider how such problems are likely to arise in order to be able to do anything useful with that information. Risk assessment in situations like this, to be accurate and meaningful, has to entail more than just throwing your hands in the air and saying "I can't use anything! It's all just a vector for more attacks!"

Deb did a good job bringing this to our attention. Let's have a look at:

Future Conditions of SPIT

Email spam is as prevalent as it is for exactly one reason: the ubiquity of email. As Deb rightly points out, spitters benefit from a lack of per-call costs when spitting at you, just as spammers benefit from a lack of costs for stamps to spam at you. The reason for this in both cases is that beyond getting basic connectivity to the Internet, there's no charge involved in sending calls (or emails). On the other hand, spitters won't want to get caught any more than spammers do.

That's why we have spam and phishing botnets. TCP/IP traffic can be traced back to its source of origin, which could cause a lot of problems for spitters and spammers. The solution spammers have come up with to this problem is the almighty botnet: infect thousands of MS Windows desktop systems with a spam trojan that uses the infected system's resources to send spam to the world. This not only makes the trail to find a spammer end (usually) at the infected system, but also provides geometrically increased capacity for volume of spam due to the efforts of a single spammer. Without these capabilities, spam wouldn't be anywhere near the problem it is now -- and until spitting can be accomplished in the same way, there won't be this kind of volume of spit, either.

What spam has and spit doesn't is the ubiquity of sending capability. It's easier for a computer to have the ability to send email than to have real internet telephony for a number of reasons.

Limitations of SPIT

  • Perhaps most obviously, VOIP is high-bandwidth, while email is not. VOIP isn't just carrying ASCII text, words rendered into digital code; VOIP has to turn an analog signal into digital code, send it from point to point through multiple gateways without significant data loss, and reassemble an analog signal at the other end. This involves very high bandwidth requirements as contrasted with email, and requires a lot more error correction to do effectively.
  • IP telephony (closely related to VOIP itself, with a lot of overlap) requires IP-to-POTS gateways at least until everyone with a telephone is using VOIP. These gateways can be expensive, and having one on-site defeats the cost savings purpose of IP telephony. As such, people using VOIP for their telephones tend to pay for access from a POTS gateway service provider. This is much cheaper (in most cases, at least) than maintaining a non-VOIP telephone line, which usually costs around $25 per month even without long distance, in my experience. Because of the problem of needing a gateway service and maintaining the VOIP system in your home yourself, self-managed IP telephony uptake will be slow for a while -- too slow for spit botnets to grow in that niche.
  • Home IP telephony services are increasingly being offered by ISPs. You may have noticed that Comcast Cable, for instance, is pushing its VOIP package pretty hard. This moves the entire service off-site, so you don't have to maintain anything but your Comcast (or whoever's providing the complete service) bill. These IP telephony service providers don't go through your computer, though -- they provide you with dedicated VOIP equipment. This means that would-be spit botnet masters are going to have to adapt from the easy spam botnet model to the more difficult spit botnet model, where the platform is an embedded system rather than a general purpose OS notorious for its lax security in average deployments like MS Windows.

The Dangers of IP Telephony

So far, it doesn't seem like spit will be much of a danger for a while. The worst that IP telephony will do for spit in the short term is make long-distance telemarketers a little more profitable. Unless VOIP on the home front moves from the occasional dedicated device to a PC feature in widespread use, we should not see anywhere near the volume of general spit that we have of spam. As IP telephony becomes more popular, though, keep an eye out for changes in the technology.

Once VOIP does start becoming a highly popular means of communication, new problems will arise that seem like solved problems for email spam. For instance, it's more difficult to produce a reliable Bayesian spit filter than a Bayesian spam filter, especially if you want to minimize false positives. At the moment, about the only ways to reliably filter spit would probably be to either disallow all incoming calls (probably not ideal for most people) or use whitelists and blacklists for allowed communication partners (probably more reasonable for home users than for businesses with toll-free customer service lines, but still suboptimal).

Of course, there are other dangers in dealing with VOIP and Internet telephony than just spit. Encryption is important to maintain privacy, for example, because it is a lot easier to tap a phone line when that "phone line" is just a stream of data over the Internet. Incoming calls might contain malware at some point in the future -- or, particularly if we use VOIP systems that try to do too much magic with handling file types (such as running an IP telephony terminus on a current Microsoft Windows machine), we might get malware arriving on the VOIP protocol's port, but getting executed by some other program instead of handed off to the device that demodulates the digital signal to recreate the analog voice in your ear.

Finally, the biggest threat to VOIP systems in the near future -- a threat that doesn't require VOIP to be very popular at all -- may actually be spam (and email phishing). If you're deploying VOIP systems at your place of business (or even at home, being that kind of bleeding-edge technology geek) -- e.g., with an Asterisk server connected to POTS through a gateway service provider -- there are other things to consider for security purposes. VOIP is, like any other communication protocol on the Internet, managed by services running on computers. Just as with those other protocols, these server processes can constitute a security risk, and they need to be protected: firewalled, hidden from port scans, watched by logging programs, and so on. Even if you're not getting spit all over you, you still might get your VOIP server hijacked and turned into an email spam bot.

I find that pretty ironic.