I was lurking around the net and since Spam and Spim (Spam over Instant Messengers) are already pretty much talked about subject here on AO, i thought i'd give SPIT a try and gather some info on the subject, as well as usefull tools and papers.

SPIT means Spam over Internet Telephony, and could easily be translated into VoIP Spamming.
We all get spam msgs on our emails, but nowadays there are all sorts of filters/blockers and proggies that block this kind of unsolicitated messages...
when you think about VoIP usage in your everyday home basis, voice spam might sound *just* like an inconvenience, but this market has grown a lot over the past years (VoIP Gateways grew over $3billion in just 5 years) and although there still are some impediments to bring it to a full corporate enviroment, soon enough IP PBX equipment will substitute companies internal communications - voice spam on an enterprise level sounds like havoc to me.

The exponential growing of VoIP and the fact that you can make actuall voice contact for free (most VoIP to VoIP comm. are free, but VoIP to Phone usually co$t you something) associated with the hability to send over 1000 messages per minute will surely turn many Spamers/Scammers into SPITers some time soon - in the U.S. alone, it's estimated that by 2008 there will be over 17.5 million users, creating a big victim database.

So what can you do to prevent having your mailbox filled with penile/inkjet/nigeria_money_scams messages?

[*] You could set whatever program you use to only allow incoming calls from people on your allowed list, but there are several ways your VoIP app can be compromised and turned into a SPITer itself (some security issues derive from its reliance on the IP infrastructure, but you could start by compromising the OS and move from there);

[*] VoIP apps do offer encryption, but some make it easy for spammers by applying weak encryp., thus allowing phone calls listening or redirecting;

[*] Use some tools that offer relyable solutions:
Qovia - offers a filter that based on the frequency and duration of the calls labels them as SPIT calls and removes them;

Zfone - very good encrypts-wise, works with different voip clients for MacOS and Linux (WinXP soon).

This topic has
been approached by SDK, but i think developing the subject more would be usefull.


I didn't post this in the Tutorials because i think it's to large of a subject to tut about (maybe latter i'll devide it in different approaches such as 'Hacking a VoIP app into a SPITer', 'OS security related issues and how they can compromise your VoIP', 'Eveasdrop prevention', 'Different proggies text/voice/video encryption capabilities' to metion a few... - it's on the to-do list).

My goal here his to share what little info i gathered on SPIT (what is/usage/prevention) and hope to get some feedback on your experiences on the subject (if it has stinged you, if you've had to set up a corporate VoIP envyroment - what you did to prevent Spit, and so on...).