If SPAM arrives in your inbox at 4am, the chances are your antispam software will catch it. But even if it doesn’t, you won’t lose much sleep over its arrival.
But it’ll be a different story with SPIT (spam over internet telephony). Junk phone calls at 4am are going to drive you mad because the chances are that antispit software won’t be able to intercept the call.
Today, Andreas Schmidt and pals from the Fraunhofer-Insitute for Secure Information Technology in Darmstadt Germany explain why intercepting SPIT is so much harder than spotting SPAM. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyse its content and filter out the junk before it gets to you.
Internet telephony, on the other hand, goes straight through to you in (more or less) real time, giving your server little or no time to analyse its content.
There are still a number of strategies that could be employed to filter out SPIT. For example, white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate.
But Schmidt and pals don’t seem confident that these techniques will work. They happily point out the disadvantages of each strategy, showing how most are either impractical or easily circumvented by a determined spitter.
They have even created a program that implements all of these attacks. Their idea is to use the program as a benchmarking tool against which people can test antispitting strategies.
Spitting is a problem that is likely to get worse. Much worse, if the estimates are correct that as much as 90 per cent of email traffic is SPAM .
So to all you computer security guys out there: hustle, hustle, hustle. I need my sleep.
Ref: arxiv.org/abs/0806.1610: Spam over Internet Telephony and How to Deal With It