The topic of VoIP spam comes up every few months, and how to use Asterisk to combat the incessant and annoying stream of telemarketers who (despite my addition to the do-not-call list) continue to call my various phone numbers with “auto warranty” offers, “who’s who” directory sales pitches, or other suitably vague and sleazy offers. This year has been particularly bad, with political campaigns calling my line sometimes four or five times in an evening. I’d not call this VoIP spam (or SPIT, or vSPAM, or whatever you want to call it) at this point – it’s just the same old telemarketing junk that is coming in over the PSTN and happens to be delivered via VoIP to my telephony devices by virtue of my connection to an ITSP. Asterisk can help with this, but can it do more?
Using Asterisk as a first line of defense against telemarketers is an age-old trick – possibly one of the first things that it was used for, even! Techniques haven’t advanced much for catching telemarketers other than the obvious searching for blocked caller IDs, or caller IDs which are obviously bogus. You could create a whitelist of callers using the astdb or other database storage method, but that typically ends up annoying people to the point where it becomes a losing proposition when they can’t get through because they’re using a new number. You could force callers to do some simple verification step via DTMF, but that also typically fails the “grandmother test.”
In the past, I’ve considered what could be done on a community basis to block spammers. Others (Brett McDaniel, among others) have come up with ways using Asterisk to create a communal blacklist, with various interface methods that Asterisk supports including ENUM, or PHP, or Curl. These seem like interesting ideas, but there doesn’t appear to be enough interest or traction to really get going. One location that has implemented via AGI scripts is “whocalled.us” which seems to have some traction in filtering certain PSTN phone numbers (aka: E.164 addresses) but I’ve not heard anyone using them. Why not? These proposals seem like good ideas, and it’s quick enough with Asterisk to implement them.
I think it’s an interesting idea to use Asterisk as the base component for a widely distributed blacklist generation and lookup tool. There are some significant hurdles that stand in the way of widespread adoption, but perhaps like email spam blacklists there is enough value that those obstacles will be surmounted for telemarketer blocking. Harnessing the thousands of Asterisk systems out there, and creating a shared database of numbers that are “annoying” seems like a useful thing to do and have. Crowdsourced call blocking – seems like it has the possibiltiy of working, right? I and the rest of the community are interested in hearing your experiences with blacklists on the asterisk-biz mailing list, if you’ve used them.
Lastly: If you’re considering opening your Asterisk system up to accept inbound SIP calls (which is easy to set up) you may have a fear that random VoIP spammers will start calling your system and trying to sell you timeshares in the Maldives, as they will be attracted by the zero cost of IP telephony that doesn’t touch the PSTN at all. To allay those fears: I’ve had one of my Asterisk systems available as a SIP endpoint for about five years, and I can say that the number of spam calls I’ve received has been precisely zero. It’s easy to implement basic identity verification steps in Asterisk (idea and code) but are they even required right now? I don’t think so. So don’t fear that problem yet – get your Asterisk system SIP-capable and on the Internet, so your email address is the same as your SIP address. Let’s create a community that is interested in and capable of receiving calls first before figuring out how NOT to take inbound session requests.
Asterisk Open Source Community Director