[humanresolv] Fighting SPIT on a cell phone

"Pars Mutaf" <pars.mutaf@gmail.com> Tue, 08 January 2008 14:44 UTC

Return-path: <humanresolvers-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFgO-0004Qv-Vw; Tue, 08 Jan 2008 09:44:00 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFgO-0004Om-00 for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:44:00 -0500
Received: from hs-out-0708.google.com ([64.233.178.244] helo=hs-out-2122.google.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JCFgK-0001dp-PE for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:43:59 -0500
Received: by hs-out-2122.google.com with SMTP id 54so5677305hsz.5 for <humanresolvers@ietf.org>; Tue, 08 Jan 2008 06:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; bh=+fO8NRoixYhXQ8tZNdQXYRZaRkfs9W9NJl2Yr+JwZFs=; b=iXDwLcBq+24CSuf5KBsmAaIcA6j6z3HmUVdQiLKd/TuwquwU6aog556Oo5GmDm7vQdmkiqlJnC2XKTQ4Bk3mdSDz9cvrwugghTXPc5BpjPC/Wz7OS8kODM8RQVXhxiWBSJAxnQHEmYjWffTllVI+guB7kqBVW4ZXUlyTW+ODRSY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=rjOSOdMd3h4A3IAgEzwzS6c3qI/Qhgl2ypjq8g5B5DvwtNd5LZROSJo/wafOk31Xw39zgVtcHwMSV+uzsciKCV2sJz9QaCZcTHPwAUsMYehedZQMfzIjctk9Xh9qtdbx2ZTVSNISuw9p9i1JvVj5z33sxE6PZoc95lCcTzjuOmA=
Received: by 10.142.241.10 with SMTP id o10mr5013169wfh.27.1199803435586; Tue, 08 Jan 2008 06:43:55 -0800 (PST)
Received: by 10.142.171.4 with HTTP; Tue, 8 Jan 2008 06:43:55 -0800 (PST)
Message-ID: <18a603a60801080643h7b62d1e9xb9ed717e486bba35@mail.gmail.com>
Date: Tue, 8 Jan 2008 15:43:55 +0100
From: "Pars Mutaf" <pars.mutaf@gmail.com>
To: asrg@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Cc: humanresolvers@ietf.org
Subject: [humanresolv] Fighting SPIT on a cell phone
X-BeenThere: humanresolvers@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Pairing cellular hosts <humanresolvers.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/humanresolvers>
List-Post: <mailto:humanresolvers@ietf.org>
List-Help: <mailto:humanresolvers-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=subscribe>
Errors-To: humanresolvers-bounces@ietf.org

[sorry for cross-posting]

Hello,

I want to leave my cell phone number (SIP URI) on a discussion forum, or
web page, blog, craigslist etc. But wish to avoid SPIT (SPam over Internet
Telephony). A solution is presented below (with variations called weak, strong
and indirect).

Comments are appreciated.

Regards,
Pars Mutaf


1. Weak solution

I leave the IP address of my cell phone but not a SIP URI. Interested
party sends a
request to my phone. My phone generates a random SIP URI and returns a
different
SIP URI to each querier.

If I receive SPIT to the SIP URI 'x', then I can cancel it. Since each
querier is returned
a different SIP URI, legitimate parties can continue to call me or send SMS.

Since the SIP URI 'x' was canceled, a SPITer can request another one
and still send
me SPIT. To avoid this attack, the querier can be requested to solve a
hard challenge
e.g. a CAPTCHA. A SIP URI will be returned only after the querier user
provided the
solution. The difficulty of the CAPTCHA can be adaptively tuned by the
target host.

When done, i.e. the desired phone call is received, the target user
can stop receiving
requests to the indicated IP address.


2. Strong solution

I leave the IP address of my phone but not a SIP URI. I want to
receive phone calls or
SMS only from people that I know. Interested party sends a request to
my phone. My
phone displays a message with the requester's name e.g.:

    "Alice Collins requested phone number. Accept? [YES/NO]"

If I accept, my phone generates a random SIP URI and returns it to the querier.

This solution requires human name certification.

An attacker can send continuous bogus requests to the target IP
address and make
the target phone continuously display the above message, annoying the
target user.
This attack can be defeated by requesting the querier user to solve a
hard CAPTCHA
before his request can be displayed at the target host's screen. The
difficulty of the
CAPTCHA can be adaptively tuned by the target host.


3. Indirect solution (using e-mail)

I leave the IP address of my cell phone and a randomly generated
e-mail address. The
mobile host (cell phone) is its own mail server. The mail is routed to
the e-mail address at
the indicated IP address.

The querier can send me an e-mail with a brief text explaining why a
SIP URI is requested.
The e-mail content will be limited to several lines, reducing space
for spam. E-mails
containing an URL can be dropped by the host since the querier is not
supposed to indicate
an URL to request a SIP URI. Similarly, emails containing an image can
also be dropped.


==
Interested folks please subscribe to:
https://www1.ietf.org/mailman/listinfo/humanresolvers

_______________________________________________
humanresolvers mailing list
humanresolvers@ietf.org
https://www1.ietf.org/mailman/listinfo/humanresolvers