[humanresolv] Fighting SPIT on a cell phone
"Pars Mutaf" <pars.mutaf@gmail.com> Tue, 08 January 2008 14:44 UTC
Return-path: <humanresolvers-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFgO-0004Qv-Vw; Tue, 08 Jan 2008 09:44:00 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JCFgO-0004Om-00 for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:44:00 -0500
Received: from hs-out-0708.google.com ([64.233.178.244] helo=hs-out-2122.google.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JCFgK-0001dp-PE for humanresolvers@ietf.org; Tue, 08 Jan 2008 09:43:59 -0500
Received: by hs-out-2122.google.com with SMTP id 54so5677305hsz.5 for <humanresolvers@ietf.org>; Tue, 08 Jan 2008 06:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; bh=+fO8NRoixYhXQ8tZNdQXYRZaRkfs9W9NJl2Yr+JwZFs=; b=iXDwLcBq+24CSuf5KBsmAaIcA6j6z3HmUVdQiLKd/TuwquwU6aog556Oo5GmDm7vQdmkiqlJnC2XKTQ4Bk3mdSDz9cvrwugghTXPc5BpjPC/Wz7OS8kODM8RQVXhxiWBSJAxnQHEmYjWffTllVI+guB7kqBVW4ZXUlyTW+ODRSY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=rjOSOdMd3h4A3IAgEzwzS6c3qI/Qhgl2ypjq8g5B5DvwtNd5LZROSJo/wafOk31Xw39zgVtcHwMSV+uzsciKCV2sJz9QaCZcTHPwAUsMYehedZQMfzIjctk9Xh9qtdbx2ZTVSNISuw9p9i1JvVj5z33sxE6PZoc95lCcTzjuOmA=
Received: by 10.142.241.10 with SMTP id o10mr5013169wfh.27.1199803435586; Tue, 08 Jan 2008 06:43:55 -0800 (PST)
Received: by 10.142.171.4 with HTTP; Tue, 8 Jan 2008 06:43:55 -0800 (PST)
Message-ID: <18a603a60801080643h7b62d1e9xb9ed717e486bba35@mail.gmail.com>
Date: Tue, 08 Jan 2008 15:43:55 +0100
From: Pars Mutaf <pars.mutaf@gmail.com>
To: asrg@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Cc: humanresolvers@ietf.org
Subject: [humanresolv] Fighting SPIT on a cell phone
X-BeenThere: humanresolvers@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Pairing cellular hosts <humanresolvers.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/humanresolvers>
List-Post: <mailto:humanresolvers@ietf.org>
List-Help: <mailto:humanresolvers-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/humanresolvers>, <mailto:humanresolvers-request@ietf.org?subject=subscribe>
Errors-To: humanresolvers-bounces@ietf.org
[sorry for cross-posting] Hello, I want to leave my cell phone number (SIP URI) on a discussion forum, or web page, blog, craigslist etc. But wish to avoid SPIT (SPam over Internet Telephony). A solution is presented below (with variations called weak, strong and indirect). Comments are appreciated. Regards, Pars Mutaf 1. Weak solution I leave the IP address of my cell phone but not a SIP URI. Interested party sends a request to my phone. My phone generates a random SIP URI and returns a different SIP URI to each querier. If I receive SPIT to the SIP URI 'x', then I can cancel it. Since each querier is returned a different SIP URI, legitimate parties can continue to call me or send SMS. Since the SIP URI 'x' was canceled, a SPITer can request another one and still send me SPIT. To avoid this attack, the querier can be requested to solve a hard challenge e.g. a CAPTCHA. A SIP URI will be returned only after the querier user provided the solution. The difficulty of the CAPTCHA can be adaptively tuned by the target host. When done, i.e. the desired phone call is received, the target user can stop receiving requests to the indicated IP address. 2. Strong solution I leave the IP address of my phone but not a SIP URI. I want to receive phone calls or SMS only from people that I know. Interested party sends a request to my phone. My phone displays a message with the requester's name e.g.: "Alice Collins requested phone number. Accept? [YES/NO]" If I accept, my phone generates a random SIP URI and returns it to the querier. This solution requires human name certification. An attacker can send continuous bogus requests to the target IP address and make the target phone continuously display the above message, annoying the target user. This attack can be defeated by requesting the querier user to solve a hard CAPTCHA before his request can be displayed at the target host's screen. The difficulty of the CAPTCHA can be adaptively tuned by the target host. 3. Indirect solution (using e-mail) I leave the IP address of my cell phone and a randomly generated e-mail address. The mobile host (cell phone) is its own mail server. The mail is routed to the e-mail address at the indicated IP address. The querier can send me an e-mail with a brief text explaining why a SIP URI is requested. The e-mail content will be limited to several lines, reducing space for spam. E-mails containing an URL can be dropped by the host since the querier is not supposed to indicate an URL to request a SIP URI. Similarly, emails containing an image can also be dropped. == Interested folks please subscribe to: https://www1.ietf.org/mailman/listinfo/humanresolvers _______________________________________________ humanresolvers mailing list humanresolvers@ietf.org https://www1.ietf.org/mailman/listinfo/humanresolvers
- [humanresolv] Fighting SPIT on a cell phone Pars Mutaf
- [humanresolv] Re: Fighting SPIT on a cell phone Pars Mutaf
- [humanresolv] Re: Fighting SPIT on a cell phone Pars Mutaf