Defeating SPIT With A Simple Captcha Script

by Brian McConnell

People are right to worry about SPIT. Once it becomes possible for people to make SIP calls from one network to another without a pre-existing peering relationship, it becomes possible for malicious users to start flooding those networks with automated calls.

There is, however, a simple solution that allows VoIP network providers to strike a reasonable compromise between openness (e.g. the ability for anybody to dial user@voipprovider.com, just as they might send an email via SMTP), and reasonable security measures to thwart automatic dialing.

One simple trick that providers can implement is to force callers to respond to a voice prompt like "To complete this call, dial 1 (random noise) 2 (random noise) 5 (random noise)." The goal is to exploit the limitations of automated speech recognition so that a bot cannot get past this IVR challenge question. The IVR will always play a slightly different sentence, so it's not obvious where the spoken digits begin, and then will intermix the spoken digits with background noises that will confuse a computer. Same basic idea as prompting a user to transcribe distorted text.

Once the caller passes this voice captcha test, that user's endpoint can be added to a white list so that subsequent calls can be processed automatically.

While this will not prevent robot dialers from hogging capacity on the IVR systems that answer these calls, it will be a good strategy to prevent these SPIT calls from getting through to live users or their voice mail boxes. This isn't a cure-all in of itself, and should be used in combination with other techniques: such as building whitelists of VoIP networks that peer for each other, automatically identifying suspicious calling patterns to they can be blocked at the firewall, and so forth.

4 Comments

Bruce Stewart
2006-05-09 13:54:27
Great suggestion Brian! Another interesting point about combatting SPIT that David Schwartz made in his Blue Box interview was that SPIT calling patterns are pretty easy to pick out from normal voice traffic (easier than it is to differentiate spam emailers). It sounded like he was proposing or working on traffic analysis tools that carriers could use to identify SPIT calls with a high degree of accuracy.
peetee
2006-05-10 18:28:00
Why not discourage SPIT by using a technique such as the one put forth by Cullen Jennings (http://www.ietf.org/internet-drafts/draft-jennings-sip-hashcash-04.txt) that requires no manual intervention?
Alicia
2007-05-22 07:15:46
There are many techniques to discourage SPIT, but unfortunately most of them have downsides. It is very annoying for users to dial the numbers mentioned in the voice captcha. Just as with visual captchas ( ex. www.captchacreator.com ) there are alternatives to detect and stop bots without annoying live users.
Juan
2007-07-29 07:39:23
Very good topic.
By adding puzzles and roadblocks to spammers, we are killing traffic to websites as users get very unconfortable.


http://www.mediaplanetaria.com/