Don't fall prey to these methods of VoIP abuse

Voice over IP (VoIP) technology provides many advantages to companies and individuals over both traditional telephone services and traditional IP communications. But, like other technologies, it also brings with it the potential for abuse. And as more people implement VoIP, we can also expect more frequent exploitation of this potential.

One growing concern is the possibility that unwanted VoIP advertising messages — often referred to as spam over Internet telephony, or SPIT — will overwhelm IP voice systems, much as email spam has overwhelmed email messaging systems. Over the years, spam has reduced much of the functionality of email — dozens, hundreds, and even thousands of unwanted email messages clogging up servers and users' inboxes to the point of driving many users away from email entirely.

While SPIT hasn't yet become a major problem, experts anticipate that it could do so in the future, as the increasing popularity of VoIP makes it a more attractive target. Let's look at the potential misuses of VoIP and discuss how you can fight back.

How SPIT works
We've long had to deal with annoying telemarketers on our landlines, so how is SPIT different? The problem is that a VoIP line isn't just a telephone number — it's also an IP address.

Auto-diallers used by traditional telephone advertisers must dial each phone number separately. But VoIP spammers can do their dirty work much more efficiently: They can harvest a large number of IP addresses, record an advertising message, and then send the message to hundreds or thousands of VoIP voice mail boxes all at once in bulk — just like email spammers.

In addition, it's more difficult to track the origin of VoIP calls vs. public switched telephone network (PSTN) calls, so spammers who are also scammers are harder to catch. And using a VoIP line, the spammer can call from anywhere in the world at a much lower cost than using traditional phone lines.

Why PSTN users aren't safe either
Of course, spammers using VoIP can also make calls to PSTN numbers, so the SPIT phenomenon poses a risk not just to VoIP users themselves, but to all telephone customers. In fact, VoIP users may actually be able to protect themselves more easily than PSTN users since VoIP services usually include free voice mail, caller ID, and other features that you may have to pay extra for with a PSTN line.

One danger of SPIT, for both VoIP and PSTN call recipients, is the possibility of flooding voice mailboxes with spam messages. Full voice mail boxes prevent legitimate callers from leaving messages, resulting in voice mail denial of service (DoS). With the potential to create much larger file sizes than email text spam, audio messages can take up a lot more storage space and overwhelm systems more quickly.

But SPIT isn't just about leaving messages — it's also about making live calls. Because of the difficulty of tracing these callers and the low cost to make the calls, it's a good possibility that phishers will latch onto VoIP to perpetuate their scams. Many people are more likely to trust a phone call claiming to be from a bank or credit card company than an email message, so this is another potential misuse of VoIP.

Of course, you can use features already included with most VoIP accounts to help control spam and phone phishing. For example, you can reject all messages that don't provide caller ID information.

The bad news is that it's possible to spoof caller ID to make a call look as if it's coming from a different source. In fact, caller ID spoofing is another misuse of VoIP that will benefit not just spammers but other malicious callers as well.

How caller ID spoofing works
Spoofing caller ID information has been possible for years, but it's much easier and less expensive to do it with VoIP. In fact, you don't even have to have a voice line yourself to take advantage of it.

Numerous websites offer fake caller ID services. At least one company offers a £5 "calling card" that you can use to dial a toll-free number, enter the number you want to call, and enter the caller ID info you want to display. In addition, instructions for spoofing caller ID information using a Linux computer running Asterisk PBX software are readily available on the Web.

Caller ID spoofing is particularly troubling because some credit card companies and banks rely on caller ID information to verify customers' identities. Spammers and scammers can also use it to disguise their identities. And since some systems will automatically allow voice mail access if you call from the phone number associated with the voice mail box, unauthorised persons can also use spoofed caller ID information to listen to someone else's voice mail.

What you can do about it
The good news is that VoIP spam, like email spam, will likely conform to certain patterns that systems can recognise, analyse, and filter. The technology also makes it possible to block calls from specific numbers or IP addresses.

It's likely that if — or really, when — SPIT becomes a problem, software companies will rush to offer solutions just as they have for email spam. In fact, a number of companies are already working on it.

Qovia, which makes enterprise-level VoIP management utilities, filed patent applications in 2004 for technology that would identify and block VoIP spam. And companies such as BorderWare offer SIP-aware proxies and firewalls designed to protect VoIP sessions against SPIT, caller ID spoofing, and other VoIP abuse.

Summary
VoIP can save organisations money and make calling more convenient, but like any other technology, it's bound to attract abuse and misuse. The bad news is that you don't even have to be a VoIP user to be a victim of VoIP misuse. The good news is that there are ways to thwart VoIP spam, caller ID spoofing, and other misuses of VoIP technology.