[humanresolv] Re: Fighting SPIT on a cell phone

"Pars Mutaf" <pars.mutaf@gmail.com> Tue, 08 January 2008 14:53 UTC

Return-path: <humanresolvers-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFq2-0000vj-1f; Tue, 08 Jan 2008 09:53:58 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFpz-0000vZ-VW for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:53:56 -0500
Received: from hs-out-0708.google.com ([64.233.178.245] helo=hs-out-2122.google.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JCFpz-0005OT-I9 for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:53:55 -0500
Received: by hs-out-2122.google.com with SMTP id 54so5680006hsz.5 for <humanresolvers@ietf.org>; Tue, 08 Jan 2008 06:53:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=eZ2hD0mDPcChiMgtAuE3/gNkmhnOg3PPcLOwPKBBips=; b=igTXAlyw4Zpzh2Gln2HKwJP7cOSbfkoNOcAPohoaQg5G0BmUUVdYN7AN9izi56S4NbcynS2Kefdwf4a2FCnl7uegl6GoODCNBGRJ/y/BCvNiqyZpWbcScG1Bqi3w6/V7UuBmPoFbTY4DjQFrNh6AYJIadDfwUs5LIRGgiq1xgg0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bcKhZI7TVt9XDh9TqYmfZkV4FtUfnM4mRYzbO4twjfhxKk+mAa1y/CIELqZN6ucEe/BFJ3Hd8a5NCfb0SnlX0yaTb9MBqbLDumo8/iBWZyKfCldcYQKd0YPjjpmBDclj+3wOlajuIjNumlzWiB3Tito13mNnfQLMhpSmJhrcm0c=
Received: by 10.142.241.10 with SMTP id o10mr6699857wfh.155.1199804034224; Tue, 08 Jan 2008 06:53:54 -0800 (PST)
Received: by 10.142.171.4 with HTTP; Tue, 8 Jan 2008 06:53:54 -0800 (PST)
Message-ID: <18a603a60801080653v1ced8eefka2d8a30c5846e5be@mail.gmail.com>
Date: Tue, 8 Jan 2008 15:53:54 +0100
From: "Pars Mutaf" <pars.mutaf@gmail.com>
To: asrg@ietf.org
In-Reply-To: <18a603a60801080643h7b62d1e9xb9ed717e486bba35@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <18a603a60801080643h7b62d1e9xb9ed717e486bba35@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: humanresolvers@ietf.org
Subject: [humanresolv] Re: Fighting SPIT on a cell phone
X-BeenThere: humanresolvers@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Pairing cellular hosts <humanresolvers.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/humanresolvers>
List-Post: <mailto:humanresolvers@ietf.org>
List-Help: <mailto:humanresolvers-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=subscribe>
Errors-To: humanresolvers-bounces@ietf.org

[sorry for cross-posting]

Hello,

I want to leave my cell phone number (SIP URI) on a discussion forum, or
web page, blog, craigslist etc. But wish to avoid SPIT (SPam over Internet
Telephony). A solution is presented below (with variations called weak,
strong and indirect).

Comments are appreciated.

Regards,
Pars Mutaf


1. Weak solution

I leave the IP address of my cell phone but not a SIP URI. Interested
party sends a request to my phone. My phone generates a random SIP URI
and returns a different SIP URI to each querier.

If I receive SPIT to the SIP URI 'x', then I can cancel it. Since each
querier is returned a different SIP URI, legitimate parties can continue
to call me or send SMS.

Since the SIP URI 'x' was canceled, a SPITer can request another one
and still send me SPIT. To avoid this attack, the querier can be requested
to solve a hard challenge e.g. a CAPTCHA. A SIP URI will be returned only
after the querier user provided the solution. The difficulty of the CAPTCHA
can be adaptively tuned by the target host.

When done, i.e. the desired phone call is received, the target user
can stop receiving requests to the indicated IP address.


2. Strong solution

I leave the IP address of my phone but not a SIP URI. I want to
receive phone calls or SMS only from people that I know. Interested party
sends a request to my phone. My phone displays a message with the
requester's name e.g.:

   "Alice Collins requested phone number. Accept? [YES/NO]"

If I accept, my phone generates a random SIP URI and returns it to the
querier.

This solution requires human name certification.

An attacker can send continuous bogus requests to the target IP
address and make the target phone continuously display the above message,
annoying the target user. This attack can be defeated by requesting the
querier user to solve a hard CAPTCHA before his request can be displayed
at the target host's screen. The difficulty of the CAPTCHA can be
adaptively tuned by the target host.


3. Indirect solution (using e-mail)

I leave the IP address of my cell phone and a randomly generated
e-mail address. The mobile host (cell phone) is its own mail server. The
mail is routed to the e-mail address at the indicated IP address.

The querier can send me an e-mail with a brief text explaining why a
SIP URI is requested. The e-mail content will be limited to several lines,
reducing space for spam. E-mails containing an URL can be dropped by the
host since the querier is not supposed to indicate an URL to request a SIP
URI. Similarly, emails containing an image can also be dropped.


==
Interested folks please subscribe to:
https://www1.ietf.org/mailman/listinfo/humanresolvers

_______________________________________________
humanresolvers mailing list
humanresolvers@ietf.org
https://www1.ietf.org/mailman/listinfo/humanresolvers