Comments on: Asterisk: Tools for peace and quiet

By: jtodd

jtodd — Fri, 21 Nov 2008 08:18:36 +0000

Tristan – Yes, many voice spammers can spoof their caller ID. However, most don’t change their numbers to “legitimate” origin caller IDs, because that brings rapid fraud charges. Many will use “throwaway” caller IDs, but hopefully in a large enough community those numbers will be rapidly discovered and entered into our hypothetical database.

John – DNS blackhole lists are what Brett talked about in his post, using ENUM-ish type technology, though it would be simple enough for a DNS RBL provider to create a shim that fetches numbers into the ENUM tree from some other APIs like HTTP. Interestingly, the people at 800notes.com and I are in a short conversation about what they might do for an API, but I don’t know where that will lead. Anyone want to pick up the flag for this?

Brian – Simple dialplan security is a basic fundamental for any SIP gateway on the public internet. The good news is that security holes like that are VERY quickly solved, since PSTN termination costs money. SMTP was much more difficult to solve since poor security models didn’t have an obvious and immediate economic penalty.

By: Tristan Rhodes

Tristan Rhodes — Tue, 18 Nov 2008 15:57:31 +0000

Are voice spammers able to spoof their caller-ID? If so, then it would circumvent any caller-id based filtering. Most email spam comes from spoofed email addresses.

By: John Laur

John Laur — Wed, 12 Nov 2008 16:22:34 +0000

There would be a better solution for blackholing E.164 addresses and SIP spam – DNS blackhole lists. RBL filters could be implemented with ENUM lookups against specific zones for E.164 numbers and via standard methods for IP addresses and done by DNS just as SMTP blackholing is done for spam e-mail RBL’s. It would be generally faster, more efficient, and more scalable than an AGI. The difficulty would be getting sites like whocalled.us to publish their data in ENUM records. This type of solution would be effective (sometimes) at blocking telemarketing and the (rare) SIP telemarketing, but it would also take care of hosts known to be originating malicious SIP activity as mentioned by Brian Jones. I have seen such activity also — specifically targeting SIP registrations with simple default username/password combinations.

By: Brian Jones

Brian Jones — Tue, 11 Nov 2008 14:54:11 +0000

I have also been seeing insecured Asterisk boxes being used like “open smtp relay” servers of old. For example, if a Asterisk box has a sip friend configured in sip.conf without a password, and say it’s a generic username that’s a four digit extension, people are running scripts to find these friends. Once they find such a friend they start using it to send telemarketing calls to the states, or credit card scams etc. Usually it’s not caught until someone calls the number that showed up in the caller id, which happens to be the caller id of the Company’s hijacked Asterisk box.

Brian.