Asterisk: Tools for peace and quiet

By Digium Webteam

The topic of VoIP spam comes up every few months, and how to use Asterisk to combat the incessant and annoying stream of telemarketers who (despite my addition to the do-not-call list) continue to call my various phone numbers with “auto warranty” offers, “who’s who” directory sales pitches, or other suitably vague and sleazy offers.  This year has been particularly bad, with political campaigns calling my line sometimes four or five times in an evening.  I’d not call this VoIP spam (or SPIT, or vSPAM, or whatever you want to call it) at this point – it’s just the same old telemarketing junk that is coming in over the PSTN and happens to be delivered via VoIP to my telephony devices by virtue of my connection to an ITSP.  Asterisk can help with this, but can it do more?

Using Asterisk as a first line of defense against telemarketers is an age-old trick – possibly one of the first things that it was used for, even!  Techniques haven’t advanced much for catching telemarketers other than the obvious searching for blocked caller IDs, or caller IDs which are obviously bogus.  You could create a whitelist of callers using the astdb or other database storage method, but that typically ends up annoying people to the point where it becomes a losing proposition when they can’t get through because they’re using a new number.  You could force callers to do some simple verification step via DTMF, but that also typically fails the “grandmother test.”

In the past, I’ve considered what could be done on a community basis to block spammers.  Others (Brett McDaniel, among others) have come up with ways using Asterisk to create a communal blacklist, with various interface methods that Asterisk supports including ENUM, or PHP, or Curl.  These seem like interesting ideas, but there doesn’t appear to be enough interest or traction to really get going.  One location that has implemented via AGI scripts is “whocalled.us” which seems to have some traction in filtering certain PSTN phone numbers (aka: E.164 addresses) but I’ve not heard anyone using them.  Why not?  These proposals seem like good ideas, and it’s quick enough with Asterisk to implement them.

I think it’s an interesting idea to use Asterisk as the base component for a widely distributed blacklist generation and lookup tool.  There are some significant hurdles that stand in the way of widespread adoption, but perhaps like email spam blacklists there is enough value that those obstacles will be surmounted for telemarketer blocking.  Harnessing the thousands of Asterisk systems out there, and creating a shared database of numbers that are “annoying” seems like a useful thing to do and have.  Crowdsourced call blocking – seems like it has the possibiltiy of working, right?  I and the rest of the community are interested in hearing your experiences with blacklists on the asterisk-biz mailing list, if you’ve used them.

Lastly:  If you’re considering opening your Asterisk system up to accept inbound SIP calls (which is easy to set up) you may have a fear that random VoIP spammers will start calling your system and trying to sell you timeshares in the Maldives, as they will be attracted by the zero cost of IP telephony that doesn’t touch the PSTN at all.  To allay those fears:  I’ve had one of my Asterisk systems available as a SIP endpoint for about five years, and I can say that the number of spam calls I’ve received has been precisely zero.  It’s easy to implement basic identity verification steps in Asterisk (idea and code) but are they even required right now?  I don’t think so.  So don’t fear that problem yet – get your Asterisk system SIP-capable and on the Internet, so your email address is the same as your SIP address.   Let’s create a community that is interested in  and capable of receiving calls first before figuring out how NOT to take inbound session requests.

John Todd

Asterisk Open Source Community Director

Related Posts

There Are 5 Comments

  • Brian Jones says:

    I have also been seeing insecured Asterisk boxes being used like “open smtp relay” servers of old. For example, if a Asterisk box has a sip friend configured in sip.conf without a password, and say it’s a generic username that’s a four digit extension, people are running scripts to find these friends. Once they find such a friend they start using it to send telemarketing calls to the states, or credit card scams etc. Usually it’s not caught until someone calls the number that showed up in the caller id, which happens to be the caller id of the Company’s hijacked Asterisk box.

    Brian.

  • John Laur says:

    There would be a better solution for blackholing E.164 addresses and SIP spam – DNS blackhole lists. RBL filters could be implemented with ENUM lookups against specific zones for E.164 numbers and via standard methods for IP addresses and done by DNS just as SMTP blackholing is done for spam e-mail RBL’s. It would be generally faster, more efficient, and more scalable than an AGI. The difficulty would be getting sites like whocalled.us to publish their data in ENUM records. This type of solution would be effective (sometimes) at blocking telemarketing and the (rare) SIP telemarketing, but it would also take care of hosts known to be originating malicious SIP activity as mentioned by Brian Jones. I have seen such activity also — specifically targeting SIP registrations with simple default username/password combinations.

  • Are voice spammers able to spoof their caller-ID? If so, then it would circumvent any caller-id based filtering. Most email spam comes from spoofed email addresses.

  • jtodd says:

    Tristan – Yes, many voice spammers can spoof their caller ID. However, most don’t change their numbers to “legitimate” origin caller IDs, because that brings rapid fraud charges. Many will use “throwaway” caller IDs, but hopefully in a large enough community those numbers will be rapidly discovered and entered into our hypothetical database.

    John – DNS blackhole lists are what Brett talked about in his post, using ENUM-ish type technology, though it would be simple enough for a DNS RBL provider to create a shim that fetches numbers into the ENUM tree from some other APIs like HTTP. Interestingly, the people at 800notes.com and I are in a short conversation about what they might do for an API, but I don’t know where that will lead. Anyone want to pick up the flag for this?

    Brian – Simple dialplan security is a basic fundamental for any SIP gateway on the public internet. The good news is that security holes like that are VERY quickly solved, since PSTN termination costs money. SMTP was much more difficult to solve since poor security models didn’t have an obvious and immediate economic penalty.

  • MR.X says:

    Seeing that no one else has advertised an E.164 formatted telemarketer DNSBL, I started one about a year ago. Since I’m in the U.S., it really only covers North America, but it does have the correct “hooks” for the rest of the world if someone wants to offer such a list for other countries….

Add to the Discussion

Your email address will not be published. Required fields are marked *