draft-ietf-sipping-spam-04.txt   draft-ietf-sipping-spam-05.txt 
SIPPING J. Rosenberg SIPPING J. Rosenberg
Internet-Draft C. Jennings Internet-Draft C. Jennings
Expires: August 30, 2007 Cisco Intended status: Informational Cisco
February 26, 2007 Expires: January 10, 2008 July 9, 2007
The Session Initiation Protocol (SIP) and Spam The Session Initiation Protocol (SIP) and Spam
draft-ietf-sipping-spam-04 draft-ietf-sipping-spam-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 30, 2007. This Internet-Draft will expire on January 10, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
Spam, defined as the transmission of bulk unsolicited messages, has Spam, defined as the transmission of bulk unsolicited messages, has
plagued Internet email. Unfortunately, spam is not limited to email. plagued Internet email. Unfortunately, spam is not limited to email.
It can affect any system that enables user to user communications. It can affect any system that enables user to user communications.
skipping to change at page 2, line 20 skipping to change at page 2, line 20
2. Problem Definition . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem Definition . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Call Spam . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Call Spam . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. IM Spam . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. IM Spam . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. Presence Spam . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Presence Spam . . . . . . . . . . . . . . . . . . . . . . 7
3. Solution Space . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Solution Space . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Content Filtering . . . . . . . . . . . . . . . . . . . . 8 3.1. Content Filtering . . . . . . . . . . . . . . . . . . . . 8
3.2. Black Lists . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Black Lists . . . . . . . . . . . . . . . . . . . . . . . 9
3.3. White Lists . . . . . . . . . . . . . . . . . . . . . . . 9 3.3. White Lists . . . . . . . . . . . . . . . . . . . . . . . 9
3.4. Consent-Based Communications . . . . . . . . . . . . . . . 10 3.4. Consent-Based Communications . . . . . . . . . . . . . . . 10
3.5. Reputation Systems . . . . . . . . . . . . . . . . . . . . 12 3.5. Reputation Systems . . . . . . . . . . . . . . . . . . . . 12
3.6. Address Obfuscation . . . . . . . . . . . . . . . . . . . 13 3.6. Address Obfuscation . . . . . . . . . . . . . . . . . . . 14
3.7. Limited Use Addresses . . . . . . . . . . . . . . . . . . 14 3.7. Limited Use Addresses . . . . . . . . . . . . . . . . . . 14
3.8. Turing Tests . . . . . . . . . . . . . . . . . . . . . . . 15 3.8. Turing Tests . . . . . . . . . . . . . . . . . . . . . . . 15
3.9. Computational Puzzles . . . . . . . . . . . . . . . . . . 16 3.9. Computational Puzzles . . . . . . . . . . . . . . . . . . 17
3.10. Payments at Risk . . . . . . . . . . . . . . . . . . . . . 17 3.10. Payments at Risk . . . . . . . . . . . . . . . . . . . . . 17
3.11. Legal Action . . . . . . . . . . . . . . . . . . . . . . . 18 3.11. Legal Action . . . . . . . . . . . . . . . . . . . . . . . 18
3.12. Circles of Trust . . . . . . . . . . . . . . . . . . . . . 19 3.12. Circles of Trust . . . . . . . . . . . . . . . . . . . . . 19
3.13. Centralized SIP Providers . . . . . . . . . . . . . . . . 19 3.13. Centralized SIP Providers . . . . . . . . . . . . . . . . 19
4. Authenticated Identity in Email . . . . . . . . . . . . . . . 20 4. Authenticated Identity in Email . . . . . . . . . . . . . . . 20
4.1. Sender Checks . . . . . . . . . . . . . . . . . . . . . . 20 4.1. Sender Checks . . . . . . . . . . . . . . . . . . . . . . 21
4.2. Signature-Based Techniques . . . . . . . . . . . . . . . . 21 4.2. Signature-Based Techniques . . . . . . . . . . . . . . . . 21
5. Authenticated Identity in SIP . . . . . . . . . . . . . . . . 21 5. Authenticated Identity in SIP . . . . . . . . . . . . . . . . 22
6. Framework for Anti-Spam in SIP . . . . . . . . . . . . . . . . 23 6. Framework for Anti-Spam in SIP . . . . . . . . . . . . . . . . 23
7. Additional Work . . . . . . . . . . . . . . . . . . . . . . . 24 7. Additional Work . . . . . . . . . . . . . . . . . . . . . . . 24
8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
11. Informative References . . . . . . . . . . . . . . . . . . . . 24 11. Informative References . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
Intellectual Property and Copyright Statements . . . . . . . . . . 28 Intellectual Property and Copyright Statements . . . . . . . . . . 28
1. Introduction 1. Introduction
Spam, defined as the transmission of bulk unsolicited email, has been Spam, defined as the transmission of bulk unsolicited email, has been
a plague on the Internet email system, rendering it nearly useless. a plague on the Internet email system. Many solutions have been
Many solutions have been documented and deployed to counter the documented and deployed to counter the problem. None of these
problem. None of these solutions is ideal. However, one thing is solutions is ideal. However, one thing is clear: the spam problem
clear: the spam problem would be much less significant had solutions would be much less significant had solutions been deployed
been deployed ubiquitously before the problem became widespread. ubiquitously before the problem became widespread.
The Session Initiation Protocol (SIP) [2] is used for multimedia The Session Initiation Protocol (SIP) [2] is used for multimedia
communications between users, including voice, video, instant communications between users, including voice, video, instant
messaging and presence. Consequently, it can be just as much of a messaging and presence. Consequently, it can be just as much of a
target for spam as email. To deal with this, solutions need to be target for spam as email. To deal with this, solutions need to be
defined and recommendations put into place for dealing with spam as defined and recommendations put into place for dealing with spam as
soon as possible. soon as possible.
This document serves to meet those goals by defining the problem This document serves to meet those goals by defining the problem
space more concretely, analyzing the applicability of solutions used space more concretely, analyzing the applicability of solutions used
skipping to change at page 3, line 40 skipping to change at page 3, line 40
to further elaborate on it here. The question, however, is what is to further elaborate on it here. The question, however, is what is
the meaning of spam when applied to SIP? Since SIP covers a broad the meaning of spam when applied to SIP? Since SIP covers a broad
range of functionality, there appear to be three related but range of functionality, there appear to be three related but
different manifestations: different manifestations:
Call Spam: This type of spam is defined as a bulk unsolicited set of Call Spam: This type of spam is defined as a bulk unsolicited set of
session initiation attempts (i.e., INVITE requests), attempting to session initiation attempts (i.e., INVITE requests), attempting to
establish a voice, video, instant messaging [1] or other type of establish a voice, video, instant messaging [1] or other type of
communications session. If the user should answer, the spammer communications session. If the user should answer, the spammer
proceeds to relay their message over the real time media. This is proceeds to relay their message over the real time media. This is
the classic telemarketer spam, applied to SIP. the classic telemarketer spam, applied to SIP. This is often
called SPam over Ip Telephony or SPIT.
IM Spam: This type of spam is similar to email. It is defined as a IM Spam: This type of spam is similar to email. It is defined as a
bulk unsolicited set of instant messages, whose content contains bulk unsolicited set of instant messages, whose content contains
the message that the spammer is seeking to convey. IM spam is the message that the spammer is seeking to convey. IM spam is
most naturally sent using the SIP MESSAGE [3] request. However, most naturally sent using the SIP MESSAGE [3] request. However,
any other request which causes content to automatically appear on any other request which causes content to automatically appear on
the user's display will also suffice. That might include INVITE the user's display will also suffice. That might include INVITE
requests with large Subject headers (since the Subject is requests with large Subject headers (since the Subject is
sometimes rendered to the user), or INVITE requests with text or sometimes rendered to the user), or INVITE requests with text or
HTML bodies. HTML bodies. This is often called SPam over Instant Messaging or
SPIM.
Presence Spam: This type of spam is similar to IM spam. It is Presence Spam: This type of spam is similar to IM spam. It is
defined as a bulk unsolicited set of presence requests (i.e., defined as a bulk unsolicited set of presence requests (i.e.,
SUBSCRIBE requests [4] for the presence event package [6]), in an SUBSCRIBE requests [4] for the presence event package [6]), in an
attempt to get on the "buddy list" or "white list" of a user in attempt to get on the "buddy list" or "white list" of a user in
order to send them IM or initiate other forms of communications. order to send them IM or initiate other forms of communications.
This is occasionally called SPam over Presence Protocol or SPPP.
There are many other SIP messages that a spammer might send. There are many other SIP messages that a spammer might send.
However, most of the other ones do not result in content being However, most of the other ones do not result in content being
delivered to a user, nor do they seek input from a user. Rather, delivered to a user, nor do they seek input from a user. Rather,
they are answered by automata. OPTIONS is a good example of this. they are answered by automata. OPTIONS is a good example of this.
There is little value for a spammer in sending an OPTIONS request, There is little value for a spammer in sending an OPTIONS request,
since it is answered automatically by the UAS. No content is since it is answered automatically by the UAS. No content is
delivered to the user, and they are not consulted. delivered to the user, and they are not consulted.
In the sections below, we consider the likelihood of these various In the sections below, we consider the likelihood of these various
skipping to change at page 4, line 37 skipping to change at page 4, line 39
Will call spam occur? That is an important question to answer. Will call spam occur? That is an important question to answer.
Clearly, it does occur in the existing telephone network, in the form Clearly, it does occur in the existing telephone network, in the form
of telemarketer calls. Although these calls are annoying, they do of telemarketer calls. Although these calls are annoying, they do
not arrive in the same kind of volume as email spam. The difference not arrive in the same kind of volume as email spam. The difference
is cost; it costs more for the spammer to make a phone call than it is cost; it costs more for the spammer to make a phone call than it
does to send email. This cost manifests itself in terms of the cost does to send email. This cost manifests itself in terms of the cost
for systems which can perform telemarketer call, and in cost per for systems which can perform telemarketer call, and in cost per
call. call.
Both of these costs are substantially reduced by SIP. A SIP call Both of these costs are substantially reduced by SIP. A SIP call
spam application is easy to write. It is just a UAC that initiates, spam application is easy to write. It is just a SIP User Agent that
in parallel, a large number of calls. If a call connects, the spam initiates, in parallel, a large number of calls. If a call connects,
application generates an ACK and proceeds to play out a recorded the spam application generates an ACK and proceeds to play out a
announcement, and then it terminates the call. This kind of recorded announcement, and then it terminates the call. This kind of
application can be built entirely in software, using readily application can be built entirely in software, using readily
available (and indeed, free) off the shelf components. It can run on available (and indeed, free) off the shelf software components. It
a low end PC and requires no special expertise to execute. can run on a low end PC and requires no special expertise to execute.
The cost per call is also substantially reduced. A normal The cost per call is also substantially reduced. A normal
residential phone line allows only one call to be placed at a time. residential phone line allows only one call to be placed at a time.
If additional lines are required, a user must purchase more expensive If additional lines are required, a user must purchase more expensive
connectivity. Typically, a T1 or T3 would be required for a large connectivity. Typically, a T1 or T3 would be required for a large
volume telemarketing service. That kind of access is very expensive volume telemarketing service. That kind of access is very expensive
and well beyond the reach of an average user. A T1 line is and well beyond the reach of an average user. A T1 line is
approximately US $250 per month, and about 1.5 cents per minute for approximately US $250 per month, and about 1.5 cents per minute for
calls. T1 lines used only for outbound calls (such as in this case) calls. T1 lines used only for outbound calls (such as in this case)
are even more expensive than inbound trunks due to the reciprocal are even more expensive than inbound trunks due to the reciprocal
termination charges that a provider pays and receives. termination charges that a provider pays and receives.
There are two aspects to the capacity: the call attempt rate, and the There are two aspects to the capacity: the call attempt rate, and the
number of simultaneous successful calls that can be in progress. A number of simultaneous successful calls that can be in progress. A
T1 would allow a spammer at most 24 simultaneous calls, and assuming T1 would allow a spammer at most 24 simultaneous calls, and assuming
about 10s for each call attempt, about 2.4 call attempts per second. about 10 seconds for each call attempt, about 2.4 call attempts per
At high volume calling, the per-minute rates far exceed the flat second. At high volume calling, the per-minute rates far exceed the
monthly fee for the T1. The result is a cost of 250,000 microcents flat monthly fee for the T1. The result is a cost of 250,000
for each successful spam delivery, assuming 10s of content. microcents for each successful spam delivery, assuming 10 seconds of
content.
With SIP, this cost is much reduced. Consider a spammer using a With SIP, this cost is much reduced. Consider a spammer using a
typical broadband Internet connection that provides 500Kbps of typical broadband Internet connection that provides 500Kbps of
upstream bandwidth. Initiating a call requires just a single INVITE upstream bandwidth. Initiating a call requires just a single INVITE
message. Assuming, for simplicity's sake, that this is 1kB, a message. Assuming, for simplicity's sake, that this is 1 KB, a 500
500Kbps upstream DSL or cable modem connection will allow about 62 Kbps upstream DSL or cable modem connection will allow about 62 call
call attempts per second. A successful call requires enough attempts per second. A successful call requires enough bandwidth to
bandwidth to transmit a message to the receiver. Assuming a low transmit a message to the receiver. Assuming a low compression codec
compression codec (say, G.723.1 at 5.6 Kbps), as many as 90 (say, G.723.1 at 5.6 Kbps), as many as 46 simultaneous calls can be
simultaneous calls can be in progress. With 10s of content per call, in progress. With 10 seconds of content per call, that allows for
that allows for 9 successful call attempts per second. This means 4.6 successful call attempts per second. This means that a system
that a system could deliver a voice message successfully to users at could deliver a voice message successfully to users at a rate of
a rate of around 9 per second. If broadband access is around $50/ around 9 per second. If broadband access is around $50/month, the
month, the cost per successful voice spam is about 215 microcents cost per successful voice spam is about 415 microcents each. This
each. This assumes that calls can be made 24 hours a day, which may assumes that calls can be made 24 hours a day, which may or may not
or may not be the case. be the case.
These figures indicate that SIP call spam is roughly three orders of These figures indicate that SIP call spam is roughly three orders of
magntiude cheaper to send than traditional circuit-based telemarketer magnitude cheaper to send than traditional circuit-based telemarketer
calls. This low cost is certainly going to be very attractive to calls. This low cost is certainly going to be very attractive to
spammers. Indeed, many spammers utilize computational and bandwidth spammers. Indeed, many spammers utilize computational and bandwidth
resources provided by others, by infecting their machines with resources provided by others, by infecting their machines with
viruses that turn them into "zombies" that can be used to generate viruses that turn them into "zombies" that can be used to generate
spam. This can reduce the cost of call spam to nearly zero. spam. This can reduce the cost of call spam to nearly zero.
Even ignoring the zombie issue, this reduction in cost is even more Even ignoring the zombie issue, this reduction in cost is even more
amplified for international calls. Currently, there is very little amplified for international calls. Currently, there is very little
telemarketing calls across international borders, largely due to the telemarketing calls across international borders, largely due to the
large cost of making international calls. This is one of the reasons large cost of making international calls. This is one of the reasons
skipping to change at page 6, line 18 skipping to change at page 6, line 22
merit further discussion. Currently, most VoIP calls terminate on merit further discussion. Currently, most VoIP calls terminate on
the Public Switched Telephone Network (PSTN), and this termination the Public Switched Telephone Network (PSTN), and this termination
costs the originator of the call money. These costs are similar to costs the originator of the call money. These costs are similar to
the per-minute rates of a T1. It ranges anywhere from half a cent to the per-minute rates of a T1. It ranges anywhere from half a cent to
three cents per minute, depending on volume and other factors. three cents per minute, depending on volume and other factors.
However, equipment costs, training and other factors are much lower However, equipment costs, training and other factors are much lower
for SIP-based termination than a T1, making the cost still lower than for SIP-based termination than a T1, making the cost still lower than
circuit connectivity. Furthermore, the current trend in VoIP systems circuit connectivity. Furthermore, the current trend in VoIP systems
is to make termination free for calls that never touch the PSTN, that is to make termination free for calls that never touch the PSTN, that
is, calls to actual SIP endpoints. Thus, as more and more SIP is, calls to actual SIP endpoints. Thus, as more and more SIP
endpoints come online (there are probably around 5 million endpoints come online, termination costs will probably drop. Until
addressable SIP endpoints on the Internet as of writing), termination then, SIP spam can be used in concert with termination services for a
costs will probably drop. Until then, SIP spam can be used in lower cost form of traditional telemarketer calls, made to normal
concert with termination services for a lower cost form of PSTN endpoints.
traditional telemarketer calls, made to normal PSTN endpoints.
It is useful to compare these figures with email. VoIP can deliver It is useful to compare these figures with email. VoIP can deliver
approximately 9 successful call attempts per second. Email spam can, approximately 9 successful call attempts per second. Email spam can,
of course, deliver more. Assuming 1 kB per email, and an upstream of course, deliver more. Assuming 1 KB per email, and an upstream
link of 500 kbps, a spammer can generate 62.5 messages per second. link of 500 Kbps, a spammer can generate 62.5 messages per second.
This number goes down with larger messages of course. Interestingly, This number goes down with larger messages of course. Interestingly,
spam filters delete large numbers of these mails, so the cost per spam filters delete large numbers of these mails, so the cost per
viewed message is likely to be much higher. In that sense, call spam viewed message is likely to be much higher. In that sense, call spam
is much more attractive, since its content is much more likely to be is much more attractive, since its content is much more likely to be
examined by a user if a call attempt is successful. examined by a user if a call attempt is successful.
Another part of the cost of spamming is collecting addresses. Another part of the cost of spamming is collecting addresses.
Spammers have, over time, built up immense lists of email addresses, Spammers have, over time, built up immense lists of email addresses,
each of the form user@domain, to which spam is directed. SIP uses each of the form user@domain, to which spam is directed. SIP uses
the same form of addressing, making it likely that email addresses the same form of addressing, making it likely that email addresses
skipping to change at page 7, line 8 skipping to change at page 7, line 8
not hard to do so. Furthermore, unlike email addresses, phone not hard to do so. Furthermore, unlike email addresses, phone
numbers are a finite address space and one that is fairly densely numbers are a finite address space and one that is fairly densely
packed. As a result, going sequentially through phone numbers is packed. As a result, going sequentially through phone numbers is
likely to produce a fairly high hit rate. Thus, it seems like the likely to produce a fairly high hit rate. Thus, it seems like the
cost is relatively low for a spammer to obtain large numbers of SIP cost is relatively low for a spammer to obtain large numbers of SIP
addresses to which spam can be directed. addresses to which spam can be directed.
2.2. IM Spam 2.2. IM Spam
IM spam is very much like email, in terms of the costs for deploying IM spam is very much like email, in terms of the costs for deploying
and generating spam. Assuming, for the sake of argument, a 1kB and generating spam. Assuming, for the sake of argument, a 1KB
message to be sent and 500 Kbps of upstream bandwidth, thats 62 message to be sent and 500 Kbps of upstream bandwidth, thats 62
messages per second. At $50/month, the result is 31 microcents per messages per second. At $50/month, the result is 31 microcents per
message. This is less than voice spam, but not substantially less. message. This is less than voice spam, but not substantially less.
The cost is probably on par with email spam. However, IM is much The cost is probably on par with email spam. However, IM is much
more intrusive than email. In today's systems, IMs automatically pop more intrusive than email. In today's systems, IMs automatically pop
up and present themselves to the user. Email, of course, must be up and present themselves to the user. Email, of course, must be
deliberately selected and displayed. However, many IM systems employ deliberately selected and displayed. However, most popular IM
white lists, which only allow IM to be delivered if the sender is on systems employ white lists, which only allow IM to be delivered if
the white list. Thus, whether or not IM spam will be useful seems to the sender is on the white list. Thus, whether or not IM spam will
depend a lot on the nature of the systems as the network is opened be useful seems to depend a lot on the nature of the systems as the
up. If they are ubiquitously deployed with white-list access, the network is opened up. If they are ubiquitously deployed with white-
value of IM spam is likely to be low. list access, the value of IM spam is likely to be low.
It is important to point out that there are two different types of IM It is important to point out that there are two different types of IM
systems. Page mode IM systems work much like email, with each IM systems: page mode and session mode. Page mode IM systems work much
being sent as a separate message. In session mode IM, there is like email, with each IM being sent as a separate message. In
signaling in advance of communication to establish a session, and session mode IM, there is signaling in advance of communication to
then IMs are exchanged, perhaps point-to-point, as part of the establish a session, and then IMs are exchanged, perhaps point-to-
session. The modality impacts the types of spam techniques that can point, as part of the session. The modality impacts the types of
be applied. Techniques for email can be applied identically to page spam techniques that can be applied. Techniques for email can be
mode IM, but session mode IM is more like telephony, and many applied identically to page mode IM, but session mode IM is more like
techniques (such as content filtering) are harder to apply. telephony, and many techniques (such as content filtering) are harder
to apply.
2.3. Presence Spam 2.3. Presence Spam
As defined above, presence spam is the generation of bulk unsolicited As defined above, presence spam is the generation of bulk unsolicited
SUBSCRIBE messages. What would be the effect of such spam? Most SUBSCRIBE messages. The cost of this is within a small constant
presence systems provide some kind of consent framework. A watcher factor of IM spam so the same cost estimates can be used here. What
that has not been granted permission to see the user's presence will would be the effect of such spam? Most presence systems provide some
not gain access to their presence. However, the presence request is kind of consent framework. A watcher that has not been granted
usually noted and conveyed to the user, allowing them to approve or permission to see the user's presence will not gain access to their
deny the request. In SIP, this is done using the watcherinfo event presence. However, the presence request is usually noted and
package [7]. This package allows a user to learn the identity of the conveyed to the user, allowing them to approve or deny the request.
watcher, in order to make an authorization decision. In SIP, this is done using the watcherinfo event package [7]. This
package allows a user to learn the identity of the watcher, in order
to make an authorization decision.
Interestingly, this provides a vehicle for conveying information to a Interestingly, this provides a vehicle for conveying information to a
user. By generating SUBSCRIBE requests from identities such as user. By generating SUBSCRIBE requests from identities such as
sip:please-buy-my-product@spam.example.com, brief messages can be sip:please-buy-my-product@spam.example.com, brief messages can be
conveyed to the user, even though the sender does not have, and never conveyed to the user, even though the sender does not have, and never
will receive, permission to access presence. As such, presence spam will receive, permission to access presence. As such, presence spam
can be viewed as a form of IM spam, where the amount of content to be can be viewed as a form of IM spam, where the amount of content to be
conveyed is limited. The limit is equal to the amount of information conveyed is limited. The limit is equal to the amount of information
generated by the watcher that gets conveyed to the user through the generated by the watcher that gets conveyed to the user through the
permission system. permission system.
skipping to change at page 8, line 45 skipping to change at page 8, line 48
speech recognition on a recording in order to perform such an speech recognition on a recording in order to perform such an
analysis, it would be easy for the spammers to make calls with analysis, it would be easy for the spammers to make calls with
background noises, poor grammar and varied accents, all of which will background noises, poor grammar and varied accents, all of which will
throw off recognition systems. Video recognition is even harder to throw off recognition systems. Video recognition is even harder to
do and remains primarily an area of research. do and remains primarily an area of research.
IM spam, due to its similarity to email, can be countered with IM spam, due to its similarity to email, can be countered with
content analysis tools. Indeed, the same tools and techniques used content analysis tools. Indeed, the same tools and techniques used
for email will directly work for IM spam. for email will directly work for IM spam.
Content filtering will not help for presence spam because by Content filtering is unlikely to help for presence spam because it
definition, a request subscribing for the presence of a user will be can only be applied to the relative name being used to display the
devoid of any content. requester of the presence information.
3.2. Black Lists 3.2. Black Lists
Black listing is an approach whereby the spam filter maintains a list Black listing is an approach whereby the spam filter maintains a list
of addresses that identify spammers. These addresses include both of addresses that identify spammers. These addresses include both
usernames (spammer@example.com) and entire domains (example.com). usernames (spammer@example.com) and entire domains (example.com).
Pure blacklists are not very effective in email for two reasons. Pure blacklists are not very effective in email for two reasons.
First, email addresses are easy to spoof, making it easy for the First, email addresses are easy to spoof, making it easy for the
sender to pretend to be someone else. If the sender varies the sender to pretend to be someone else. If the sender varies the
addresses they send from, the black list becomes almost completely addresses they send from, the black list becomes almost completely
useless. The second problem is that, even if the sender doesn't useless. The second problem is that, even if the sender doesn't
forge the from address, email addresses are in almost limitless forge the from address, email addresses are in almost limitless
supply. Each domain contains an infinite supply of email addresses, supply. Each domain contains an infinite supply of email addresses,
and new domains can be obtained for very low cost. Furthermore, and new domains can be obtained for very low cost. Furthermore,
there will always be public providers that will allow users to obtain there will always be public providers that will allow users to obtain
identities for almost no cost (for example, Yahoo or AOL mail identities for almost no cost (for example, Yahoo or AOL mail
accounts). The entire domain cannot be blacklisted because it accounts). The entire domain cannot be blacklisted because it
contains so many valid users. Blacklisting needs to be for contains so many valid users. Blacklisting needs to be for
individual users. Those identities are easily changed. individual users. Those identities are easily changed.
As a result, as long as identities are easy to manufacture, black As a result, as long as identities are easy to manufacture, or
lists will have limited effectiveness for email. zombies are used, black lists will have limited effectiveness for
email.
Blacklists are also likely to be ineffective for SIP spam. Blacklists are also likely to be ineffective for SIP spam.
Fortunately, SIP has much stronger mechanisms for inter-domain Mechanisms for inter-domain authenticated identity for email and sip
authenticated identity than email has (see Section 5). Assuming are discussed in Section 4 and Section 5. Assuming these mechanisms
these mechanisms are used and enabled in inter-domain communications, are used and enabled in inter-domain communications, it becomes
it becomes nearly impossible to forge sender addresses. However, it difficult to forge sender addresses. However, it still remains cheap
still remains cheap to obtain a nearly infinite supply of addresses. to obtain a nearly infinite supply of addresses.
3.3. White Lists 3.3. White Lists
White lists are the opposite of black lists. It is a list of valid White lists are the opposite of black lists. It is a list of valid
senders that a user is willing to accept email from. Unlike black senders that a user is willing to accept email from. Unlike black
lists, a spammer can not change identities to get around the white lists, a spammer can not change identities to get around the white
list. White lists are susceptible to address spoofing, but a strong list. White lists are susceptible to address spoofing, but a strong
identity authentication mechanism can prevent that problem. As a identity authentication mechanism can prevent that problem. As a
result, the combination of white lists and strong identity are a good result, the combination of white lists and strong identity, as
form of defense against spam. described in Section 4.2 and Section 5, are a good form of defense
against spam.
However, they are not a complete solution, since they would prohibit However, they are not a complete solution, since they would prohibit
a user from ever being able to receive email from someone who was not a user from ever being able to receive email from someone who was not
explicitly put on the white list. As a result, white lists require a explicitly put on the white list. As a result, white lists require a
solution to the "introduction problem" - how to meet someone for the solution to the "introduction problem" - how to meet someone for the
first time, and decide whether they should be placed in the white first time, and decide whether they should be placed in the white
list. In addition to the introduction problem, white lists demand list. In addition to the introduction problem, white lists demand
time from the user to manage. time from the user to manage.
In IM systems, white lists have proven exceptionally useful at In IM systems, white lists have proven exceptionally useful at
preventing spam. This is due, in no small part, to the fact that the preventing spam. This is due, in no small part, to the fact that the
white list exists naturally in the form of the buddy list. Users white list exists naturally in the form of the buddy list. Users
don't have to manage this list just for the purposes of spam don't have to manage this list just for the purposes of spam
prevention; it provides general utility, and assists in spam prevention; it provides general utility, and assists in spam
prevention for free. IM systems also have strong identity mechanisms prevention for free. Many popular IM systems also have strong
due to their closed nature. The introduction problem in these identity mechanisms since they do not allow communications with IM
systems is solved with a consent framework, described below. systems in other administrative domains. The introduction problem in
these systems is solved with a consent framework, described below.
The success of white lists in IM systems has applicability to SIP as The success of white lists in IM systems has applicability to SIP as
well, more so than email. This is because SIP also provides a buddy well. This is because SIP also provides a buddy list concept and has
list concept and has an advanced presence system as part of its an advanced presence system as part of its specifications. The
specifications. Second, unlike email, but like IM systems, SIP can introduction problem remains. In email, techniques like the Turing
provide a much more secure form of authenticated identity, even for tests have been employed for this purpose. Those are considered
inter-domain communications. As a result, the problem of forged further in the sections below. As with email, a technique for
senders can be eliminated, making the white list solution feasible. solving the introduction problem would need to be applied in
The introduction problem remains, however. In email, techniques like
the Turing tests have been employed for this purpose. Those are
considered further in the sections below. As with email, a technique
for solving the introduction problem would need to be applied in
conjunction with a white list. conjunction with a white list.
If a user's computer is compromised and used a zombie, that computer
can usually be used to send spam to anyone that has put the user on
their white list.
3.4. Consent-Based Communications 3.4. Consent-Based Communications
A consent-based solution is used in conjunction with white or black A consent-based solution is used in conjunction with white or black
lists. That is, if user A is not on user B's white or black list, lists. That is, if user A is not on user B's white or black list,
and user A attempts to communicate with user B, user A's attempt is and user A attempts to communicate with user B, user A's attempt is
initially rejected, and they are told that consent is being initially rejected, and they are told that consent is being
requested. Next time user B connects, user B is informed that user A requested. Next time user B connects, user B is informed that user A
had attempted communications. User B can then authorize or reject had attempted communications. User B can then authorize or reject
user A. user A.
These kinds of consent-based systems are used widely in presence and These kinds of consent-based systems are used widely in presence and
IM but not in email. This is likely due to the need for a secure IM. Since most of today's popular IM systems only allow
authenticated identity mechanism, which is a pre-requisite for this communications within a single administrative domain, sender
kind of solution. Since most of today's IM systems are closed, identities can be authenticated. Email often uses similar consent
sender identities can be authenticated. based systems for mailing lists. They use a form of authentication
based on sending cookies to an email address to verify that a user
can receive mail at that address.
This kind of consent-based communications has been standardized in This kind of consent-based communications has been standardized in
SIP for presence, using the watcher information event package [7] and SIP for presence, using the watcher information event package [7] and
data format [8], which allow a user to find out that someone has data format [8], which allow a user to find out that someone has
subscribed. Then, the XML Configuration Access Protocol (XCAP) [10] subscribed. Then, the XML Configuration Access Protocol (XCAP) [10]
is used, along with the XML format for presence authorization [11] to is used, along with the XML format for presence authorization [11] to
provide permission for the user to communicate. provide permission for the user to communicate.
A consent framework has also been developed that is applicable to A consent framework has also been developed that is applicable to
other forms of SIP communications [12]. However, this framework other forms of SIP communications [12]. However, this framework
skipping to change at page 11, line 27 skipping to change at page 11, line 31
might instead be filled with requests for communications from a might instead be filled with requests for communications from a
multiplicity of users. Those requests for communications don't multiplicity of users. Those requests for communications don't
convey much useful content to the user, but they can convey some. At convey much useful content to the user, but they can convey some. At
the very least, they will convey the identity of the requester. The the very least, they will convey the identity of the requester. The
user part of the SIP URI allows for limited freeform text, and thus user part of the SIP URI allows for limited freeform text, and thus
could be used to convey brief messages. One can imagine receiving could be used to convey brief messages. One can imagine receiving
consent requests with identities like consent requests with identities like
"sip:please-buy-my-product-at-this-website@spam.example.com", for "sip:please-buy-my-product-at-this-website@spam.example.com", for
example. Fortunately, it is possible to apply traditional content example. Fortunately, it is possible to apply traditional content
filtering systems to the header fields in the SIP messages, thus filtering systems to the header fields in the SIP messages, thus
blocking these kinds of consent requests. reducing these kinds of consent request attacks.
In order for the spammer to convey more extensive content to the In order for the spammer to convey more extensive content to the
user, the user must explicitly accept the request, and only then can user, the user must explicitly accept the request, and only then can
the spammer convey the full content. This is unlike email spam, the spammer convey the full content. This is unlike email spam,
where, even though much spam is automatically deleted, some where, even though much spam is automatically deleted, some
percentage of the content does get through, and is seen by users, percentage of the content does get through, and is seen by users,
without their explicit consent that they want to see it. Thus, if without their explicit consent that they want to see it. Thus, if
consent is required first, and nearly all users do not give consent consent is required first, the value in sending spam is reduced, and
to spammers, the value in sending spam is reduced, and perhaps it perhaps it will cease for those spam cases where consent is not given
will cease. to spammers.
As such, the real question is whether or not the consent system would As such, the real question is whether or not the consent system would
make it possible for a user to give consent to non-spammers and make it possible for a user to give consent to non-spammers and
reject spammers. Authenticated identity can help. A user in an reject spammers. Authenticated identity can help. A user in an
enterprise would know to give consent to senders in other enterprises enterprise would know to give consent to senders in other enterprises
in the same industry, for example. However, in the consumer space, in the same industry, for example. However, in the consumer space,
if sip:bob@example.com tries to communicate with a user, how does if sip:bob@example.com tries to communicate with a user, how does
that user determine whether bob is a spammer or a long-lost friend that user determine whether bob is a spammer or a long-lost friend
from high school? There is no way based on the identity alone. In from high school? There is no way based on the identity alone. In
such a case, a useful technique is to grant permission for bob to such a case, a useful technique is to grant permission for bob to
skipping to change at page 11, line 49 skipping to change at page 12, line 4
As such, the real question is whether or not the consent system would As such, the real question is whether or not the consent system would
make it possible for a user to give consent to non-spammers and make it possible for a user to give consent to non-spammers and
reject spammers. Authenticated identity can help. A user in an reject spammers. Authenticated identity can help. A user in an
enterprise would know to give consent to senders in other enterprises enterprise would know to give consent to senders in other enterprises
in the same industry, for example. However, in the consumer space, in the same industry, for example. However, in the consumer space,
if sip:bob@example.com tries to communicate with a user, how does if sip:bob@example.com tries to communicate with a user, how does
that user determine whether bob is a spammer or a long-lost friend that user determine whether bob is a spammer or a long-lost friend
from high school? There is no way based on the identity alone. In from high school? There is no way based on the identity alone. In
such a case, a useful technique is to grant permission for bob to such a case, a useful technique is to grant permission for bob to
communicate but to ensure that the permission is extremely limited. communicate but to ensure that the permission is extremely limited.
In particular, bob may be granted permission to send no more than 200 In particular, bob may be granted permission to send no more than 200
words of text in a single IM, which he can use to identify himself, words of text in a single IM, which he can use to identify himself,
so that the user can determine whether or not more permissions are so that the user can determine whether or not more permissions are
appropriate. However, this 200 words of text may be enough for a appropriate. It may even be possible that an automated system could
spammer to convey their message, in much the same way they might do some form of content analysis on this initial short message.
convey it in the user part of the SIP URI. However, this 200 words of text may be enough for a spammer to convey
their message, in much the same way they might convey it in the user
part of the SIP URI.
Thus, it seems that a consent-based framework, along with white lists Thus, it seems that a consent-based framework, along with white lists
and black lists, cannot fully solve the problem for SIP, although it and black lists, cannot fully solve the problem for SIP, although it
does appear to help. does appear to help.
3.5. Reputation Systems 3.5. Reputation Systems
A reputation system is also used in conjunction with white or black A reputation system is also used in conjunction with white or black
lists. Assume that user A is not on user B's white list, and A lists. Assume that user A is not on user B's white list, and A
attempts to contact user B. If a consent-based system is used, B is attempts to contact user B. If a consent-based system is used, B is
skipping to change at page 12, line 36 skipping to change at page 12, line 42
Reputation is calculated based on user feedback. For example, a Reputation is calculated based on user feedback. For example, a
button on the user interface of the messaging client might empower button on the user interface of the messaging client might empower
users to inform the system that a particular user is abusive. Of users to inform the system that a particular user is abusive. Of
course, the input of any single user has to be insufficient to ruin course, the input of any single user has to be insufficient to ruin
one's reputation, but consistent negative feedback would give the one's reputation, but consistent negative feedback would give the
abusive user a negative reputation score. abusive user a negative reputation score.
Reputation systems have been successful in systems where Reputation systems have been successful in systems where
centralization of resources (user identities, authentication, etc.) centralization of resources (user identities, authentication, etc.)
and monolithic control dominate. Examples of these include the large and monolithic control dominate. Examples of these include the large
instant messaging providers that run closed, proprietary networks. instant messaging providers that run IM system that do not exchange
That control, first of all, provides a relatively strong identity messages with other administrative domains. That control, first of
assertion for users (since all users trust a common provider, and the all, provides a relatively strong identity assertion for users (since
common provider is the arbiter of authentication and identity). all users trust a common provider, and the common provider is the
Secondly, it provides a single place where reputation can be managed. arbiter of authentication and identity). Secondly, it provides a
single place where reputation can be managed.
Reputation systems based on negative reputation scores suffer from Reputation systems based on negative reputation scores suffer from
many of the same problems as black lists, since effectively the many of the same problems as black lists, since effectively the
consequence of having a negative reputation is that you are consequence of having a negative reputation is that you are
blacklisted. If identities are very easy to acquire, a user with a blacklisted. If identities are very easy to acquire, a user with a
negative reputation will simply acquire a new one. Moreover, negative reputation will simply acquire a new one. Moreover,
negative reputation is generated by tattling, which requires users to negative reputation is generated by tattling, which requires users to
be annoyed enough to click the warning button. Additionally, it can be annoyed enough to click the warning button. Additionally, it can
be abused. In some reputation systems, "reputation mafias" be abused. In some reputation systems, "reputation mafias"
consisting of large numbers of users routinely bully or extort consisting of large numbers of users routinely bully or extort
victims by threatening collectively to grant victims a negative victims by threatening collectively to give victims a negative
reputation. reputation.
Reputation systems based on positive reputation, where users praise Reputation systems based on positive reputation, where users praise
each other for being good, rather than tattling on each other for each other for being good, rather than tattling on each other for
being bad, have some similar drawbacks. Collectives of spammers, or being bad, have some similar drawbacks. Collectives of spammers, or
just one spammer who acquires a large number identities, could praise just one spammer who acquires a large number identities, could praise
one another in order to create an artificial positive reputation. one another in order to create an artificial positive reputation.
Users similarly have to overcome the inertia required to press the Users similarly have to overcome the inertia required to press the
"praise" button. Unlike negative reputation systems, however, "praise" button. Unlike negative reputation systems, however,
positive reputation is not circumvented when users require a new positive reputation is not circumvented when users require a new
skipping to change at page 13, line 40 skipping to change at page 13, line 46
reputation system. Your perception of a particular user's reputation reputation system. Your perception of a particular user's reputation
might be dependent on your relationship to them in the social might be dependent on your relationship to them in the social
network: are they one buddy removed (strong reputation), four buddies network: are they one buddy removed (strong reputation), four buddies
removed (weaker reputation), three buddies removed but connected to removed (weaker reputation), three buddies removed but connected to
you through several of your buddies, etc. This web of trust you through several of your buddies, etc. This web of trust
furthermore would have the very desirable property that circles of furthermore would have the very desirable property that circles of
spammers adding one another to their own buddylists would not affect spammers adding one another to their own buddylists would not affect
your perception of their reputation unless their circle linked to your perception of their reputation unless their circle linked to
your own social network. your own social network.
If a users machine is compromised and turned into a zombie, this
allows SPAM to be sent and may impact their reputation in a negative
way. Once their reputation decreases, it becomes extremely difficult
to reestablish a positive reputation.
3.6. Address Obfuscation 3.6. Address Obfuscation
Spammers build up their spam lists by gathering email addresses from Spammers build up their spam lists by gathering email addresses from
web sites and other public sources of information. One way to web sites and other public sources of information. One way to
prevent spam is to make your address difficult or impossible to minimize spam is to make your address difficult or impossible to
gather. Spam bots typically look for text in pages of the form gather. Spam bots typically look for text in pages of the form
"user@domain", and assume that anything of that form is an email "user@domain", and assume that anything of that form is an email
address. To hide from such spam bots, many websites have recently address. To hide from such spam bots, many websites have recently
begun placing email addresses in an obfuscated form, usable to humans begun placing email addresses in an obfuscated form, usable to humans
but difficult for an automata to read as an email address. Examples but difficult for an automata to read as an email address. Examples
include forms such as, "user at example dot com" or "j d r o s e n a include forms such as, "user at example dot com" or "j d r o s e n a
t e x a m p l e d o t c o m". t e x a m p l e d o t c o m".
These techniques are equally applicable to prevention of SIP spam, These techniques are equally applicable to prevention of SIP spam,
and are likely to be as equally effective or ineffective in its and are likely to be as equally effective or ineffective in its
skipping to change at page 15, line 6 skipping to change at page 15, line 20
email address can be obfuscated and be of single use, different for email address can be obfuscated and be of single use, different for
each buddy who requests your presence. They can also be constantly each buddy who requests your presence. They can also be constantly
changed, as these changes are pushed directly to your buddies. In a changed, as these changes are pushed directly to your buddies. In a
sense, the buddy list represents an automatically updated address sense, the buddy list represents an automatically updated address
book, and would therefore eliminate the problem. book, and would therefore eliminate the problem.
Another approach is to give a different address to each and every Another approach is to give a different address to each and every
correspondent, so that it is never necessary to tell a "good" user correspondent, so that it is never necessary to tell a "good" user
that an address needs to be changed. This is an extreme form of that an address needs to be changed. This is an extreme form of
limited use addresses, which can be called a single-use address. limited use addresses, which can be called a single-use address.
Mechanisms are available in SIP for the generation of [17] an Mechanisms are available in SIP for the generation of [16] an
infinite supply of single use addresses. However, the hard part infinite supply of single use addresses. However, the hard part
remains a useful mechanism for distribution and management of those remains a useful mechanism for distribution and management of those
addresses. addresses.
3.8. Turing Tests 3.8. Turing Tests
In email, Turing tests are those solutions whereby the sender of the In email, Turing tests are those solutions whereby the sender of the
message is given some kind of puzzle or challenge, which only a human message is given some kind of puzzle or challenge, which only a human
can answer. These tests are also known as captchas (Completely can answer (since Turing tests rely on video or audio puzzles, they
Automated Public Turing test to tell Computers and Humans Apart). If sometimes cannot be solved by individuals with handicaps). These
the puzzle is answered correctly, the sender is placed on the user's tests are also known as captchas (Completely Automated Public Turing
white list. These puzzles frequently take the form of recognizing a test to tell Computers and Humans Apart). If the puzzle is answered
word or sequence of numbers in an image with a lot of background correctly, the sender is placed on the user's white list. These
noise. The tests need to be designed such that automata cannot puzzles frequently take the form of recognizing a word or sequence of
easily perform the image recognition needed to extract the word or numbers in an image with a lot of background noise. The tests need
number sequence, but a human user usually can. Designing such tests to be designed such that automata cannot easily perform the image
is not easy, since ongoing advances in image processing an artificial recognition needed to extract the word or number sequence, but a
intelligence continually raise the bar. Consequently, the human user usually can. Designing such tests is not easy, since
effectiveness of captchas are tied to whether spammers can come up ongoing advances in image processing and artificial intelligence
with or obtain algorithms for automatically solving them. Since continually raise the bar. Consequently, the effectiveness of
Turing tests rely on video or audio puzzles, they sometimes cannot be captchas are tied to whether spammers can come up with or obtain
solved by individuals with handicaps. algorithms for automatically solving them.
Like many of the other email techniques, Turing tests are dependent Like many of the other email techniques, Turing tests are dependent
on sender identity, which cannot easily be authenticated in email. on sender identity, which cannot easily be authenticated in email.
Turing tests can be used to prevent IM spam, in much the same way Turing tests can be used to prevent IM spam in much the same way they
they can be used to prevent email spam. Indeed, the presence strong can be used to prevent email spam.
authenticated identity techniques in SIP will make such a Turing test
approach more effective in SIP than in email.
Turing tests can be applied to call spam as well, although not Turing tests can be applied to call spam as well, although not
directly, because call spam does not usually involve the transfer of directly, because call spam does not usually involve the transfer of
images and other content that can be used to verify that a human is images and other content that can be used to verify that a human is
on the other end. If most of the calls are voice, the technique on the other end. If most of the calls are voice, the technique
needs to be adapted to voice. This is not that difficult to do. needs to be adapted to voice. This is not that difficult to do.
Here is how it could be done. User A calls user B and is not on user Here is how it could be done. User A calls user B and is not on user
B's white or black list. User A is transferred to an IVR system. B's white or black list. User A is transferred to an Interactive
The IVR system tells the user that they are going to hear a series of Voice Response (IVR) system. The IVR system tells the user that they
numbers (say 5 of them), and that they have to enter those numbers on are going to hear a series of numbers (say 5 of them), and that they
the keypad. The IVR system reads out the numbers while background have to enter those numbers on the keypad. The IVR system reads out
music is playing, making it difficult for an automated speech the numbers while background music is playing, making it difficult
recognition system to be applied to the media. The user then enters for an automated speech recognition system to be applied to the
the numbers on their keypad. If they are entered correctly, the user media. The user then enters the numbers on their keypad. If they
is added to the whitelist. are entered correctly, the user is added to the white list.
This kind of voice-based Turing test is easily extended to a variety This kind of voice-based Turing test is easily extended to a variety
of media, such as video and text, and user interfaces by making use of media, such as video and text, and user interfaces by making use
of the SIP application interaction framework [14]. This framework of the SIP application interaction framework [14]. This framework
allows client devices to interact with applications in the network, allows client devices to interact with applications in the network,
where such interaction is done with stimulus signaling, including where such interaction is done with stimulus signaling, including
keypads (supported with the Keypad Markup Language [15]), but also keypads (supported with the Keypad Markup Language [15]), but also
including web browsers, voice recognition, and so on. The framework including web browsers, voice recognition, and so on. The framework
allows the application to determine the media capabilities of the allows the application to determine the media capabilities of the
device (or user, in cases where they are handicapped) and interact device (or user, in cases where they are handicapped) and interact
skipping to change at page 16, line 26 skipping to change at page 16, line 37
In the case of voice, the Turing test would need to be made to run in In the case of voice, the Turing test would need to be made to run in
the language of the caller. This is possible in SIP, using the the language of the caller. This is possible in SIP, using the
Accept-Language header field, though this is not widely used at the Accept-Language header field, though this is not widely used at the
moment, and meant for languages of SIP message components, not the moment, and meant for languages of SIP message components, not the
media streams. media streams.
The primary problem with the voice Turing test is the same one that The primary problem with the voice Turing test is the same one that
email tests have: instead of having an automata process the test, a email tests have: instead of having an automata process the test, a
spammer can pay cheap workers to take the tests. Assuming cheap spammer can pay cheap workers to take the tests. Assuming cheap
labor in a poor country can be obtained for about 60 cents per hour, labor in a poor country can be obtained for about 60 cents per hour,
and assuming a Turing test of 30 second duration, this is about 50 and assuming a Turing test of 30 second duration, this is about 0.50
cents per test and thus 50 cents per message to send an IM spam. cents per test and thus 0.50 cents per message to send an IM spam.
Lower labor rates would reduce this further; the number quoted here Lower labor rates would reduce this further; the number quoted here
is based on real online bids in September of 2006 made for actual is based on real online bids in September of 2006 made for actual
work of this type. work of this type.
As an alternative to paying cheap workers to take the tests, the As an alternative to paying cheap workers to take the tests, the
tests can be taken by human users that are tricked into completing tests can be taken by human users that are tricked into completing
the tests in order to gain access to what they believe is a the tests in order to gain access to what they believe is a
legitimate resource. This was done by a spambot that posted the legitimate resource. This was done by a spambot that posted the
tests on a pornography site, and required users to complete the tests tests on a pornography site, and required users to complete the tests
in order to gain access to content. in order to gain access to content.
skipping to change at page 17, line 12 skipping to change at page 17, line 24
One of the problems with the technique is that there is wide One of the problems with the technique is that there is wide
variation in the computational power of the various clients that variation in the computational power of the various clients that
might legitimately communicate. The CPU speed on a low end cell might legitimately communicate. The CPU speed on a low end cell
phone is around 50 MHz, while a high end PC approaches 5 GHz. This phone is around 50 MHz, while a high end PC approaches 5 GHz. This
represents almost two orders of magnitude difference. Thus, if the represents almost two orders of magnitude difference. Thus, if the
test is designed to be reasonable for a cell phone to perform, it is test is designed to be reasonable for a cell phone to perform, it is
two orders of magnitude cheaper to perform for a spammer on a high two orders of magnitude cheaper to perform for a spammer on a high
end machine. Recent research has focused on defining computational end machine. Recent research has focused on defining computational
puzzles that challenge the CPU/memory bandwidth, as opposed to just puzzles that challenge the CPU/memory bandwidth, as opposed to just
the CPU [23]. It seems that there is less variety in the CPU/memory the CPU [26]. It seems that there is less variety in the CPU/memory
bandwidth across devices, roughly a single order of magnitude. bandwidth across devices, roughly a single order of magnitude.
Recent work [25] suggests that, due to the ability of spammers to use Recent work [28] suggests that, due to the ability of spammers to use
virus-infected machines (also known as zombies) to generate the spam, virus-infected machines (also known as zombies) to generate the spam,
the amount of computational power available to the spammers is the amount of computational power available to the spammers is
substantial, and it may be impossible to have them compute a puzzle substantial, and it may be impossible to have them compute a puzzle
that is sufficiently hard that will not also block normal emails. that is sufficiently hard that will not also block normal emails. If
However, if combined with white listing, the computational puzzles combined with white listing, computational puzzles would only be
only become needed for validating new communication partners. The utilized for new communications partners. Of course, if the partner
on the white list is a zombie, spam will come from that source. The
frequency of communications with new partners is arguably higher for frequency of communications with new partners is arguably higher for
email than for multimedia, and thus the computational puzzle email than for multimedia, and thus the computational puzzle
techniques may be more effective for SIP than for email in dealing techniques may be more effective for SIP than for email in dealing
with the introduction problem. with the introduction problem.
These techniques are an active area of research right now, and any These techniques are an active area of research right now, and any
results for email are likely to be usable for SIP. results for email are likely to be usable for SIP.
3.10. Payments at Risk 3.10. Payments at Risk
This approach has been proposed for email [24]. When user A sends This approach has been proposed for email [27]. When user A sends
email to user B, user A deposits a small amount of money (say, one email to user B, user A deposits a small amount of money (say, one
dollar) into user B's account. If user B decides that the message is dollar) into user B's account. If user B decides that the message is
not spam, user B refunds this money back to user A. If the message is not spam, user B refunds this money back to user A. If the message is
spam, user B keeps the money. This technique requires two spam, user B keeps the money. This technique requires two
transactions to complete: a transfer from A to B, and a transfer from transactions to complete: a transfer from A to B, and a transfer from
B back to A. The first transfer has to occur before the message can B back to A. The first transfer has to occur before the message can
be received in order to avoid reuse of "pending payments" across be received in order to avoid reuse of "pending payments" across
several messages, which would eliminate the utility of the solution. several messages, which would eliminate the utility of the solution.
The second one then needs to occur when the message is found not to The second one then needs to occur when the message is found not to
be spam. be spam.
This technique appears just as applicable to call spam and IM spam as This technique appears just as applicable to call spam and IM spam as
it is to email spam. Like many of the other techniques, this it is to email spam. Like many of the other techniques, this
exchange would only happen the first time you talk to people. Its exchange would only happen the first time you talk to people. Its
proper operation therefore requires a good authenticated identity proper operation therefore requires a good authenticated identity
infrastructure. infrastructure.
This technique has the potential to truly make it prohibitively This technique has the potential make it arbitrarily expensive to
expensive to send spam of any sort. However, it relies on cheap send spam of any sort. However, it relies on cheap micro-payment
micro-payment techniques on the Internet. Traditional costs for techniques on the Internet. Traditional costs for internet payments
internet payments are around 25 cents per transaction, which would are around 25 cents per transaction, which would probably be
probably be prohibitive. However, recent providers have been willing prohibitive. However, recent providers have been willing to charge
to charge 15% of the transaction for small transactions, as small as 15% of the transaction for small transactions, as small as one cent.
one cent. This cost would have to be shouldered by users of the This cost would have to be shouldered by users of the system. The
system. The cost that would need to be shouldered per user is equal cost that would need to be shouldered per user is equal to the number
to the number of messages from unknown senders (that is, senders not of messages from unknown senders (that is, senders not on the white
on the white list) that are received. For a busy user, assume about list) that are received. For a busy user, assume about 10 new
10 new senders per day. If the deposit is 5 cents, the transaction senders per day. If the deposit is 5 cents, the transaction provider
provider would take .75 cents and deliver 4.25 cents. If the sender would take 0.75 cents and deliver 4.25 cents. If the sender is
is allowed, the recipient returns 4.25 cents, the provider takes 64 allowed, the recipient returns 4.25 cents, the provider takes 0.64
cents, and returns 3.6 cents. This costs the sender .65 cents on cents, and returns 3.6 cents. This costs the sender 0.65 cents on
each transaction, if it was legitimate. If there are ten new each transaction, if it was legitimate. If there are ten new
recipients per day, thats US $1.95 per month, which is relatively recipients per day, thats US $1.95 per month, which is relatively
inexpensive. inexpensive.
Assuming a micro-payment infrastructure exists, another problem with Assuming a micro-payment infrastructure exists, another problem with
payment-at-risk is that it loses effectiveness when there are strong payment-at-risk is that it loses effectiveness when there are strong
inequities in the value of currency between sender and recipient. inequities in the value of currency between sender and recipient.
For example, a poor person in a third world country might keep the For example, a poor person in a third world country might keep the
money in each mail message, regardless if it is spam. Similarly, a money in each mail message, regardless if it is spam. Similarly, a
poor person might not be willing to include money in an email, even poor person might not be willing to include money in an email, even
skipping to change at page 19, line 22 skipping to change at page 19, line 34
In this model, a group of domains (e.g., a set of enterprises) all In this model, a group of domains (e.g., a set of enterprises) all
get together. They agree to exchange SIP calls amongst each other, get together. They agree to exchange SIP calls amongst each other,
and they also agree to introduce a fine should any one of them be and they also agree to introduce a fine should any one of them be
caught spamming. Each company would then enact measures to terminate caught spamming. Each company would then enact measures to terminate
employees who spam from their accounts. employees who spam from their accounts.
This technique relies on secure inter-domain authentication - that This technique relies on secure inter-domain authentication - that
is, domain B can know that messages are received from domain A. In is, domain B can know that messages are received from domain A. In
SIP, this is readily provided by usage of the mutually authenticated SIP, this is readily provided by usage of the mutually authenticated
TLS between providers. Email does not have this kind of secure Transport Level Security (TLS)[22] between providers or SIP Identity.
domain identification, although new techniques are being investigated
to add it using reverse DNS checks (see below).
This kind of technique works well for small domains or small sets of This kind of technique works well for small domains or small sets of
providers, where these policies can be easily enforced. However, it providers, where these policies can be easily enforced. However, it
is unclear how well it scales up. Could a very large domain truly is unclear how well it scales up. Could a very large domain truly
prevent its users from spamming? Would a very large enterprise just prevent its users from spamming? At what point would the network be
pay the fine? How would the pricing be structured to allow both large enough that it would be worthwhile to send spam and just pay
small and large domains alike to participate? the fine? How would the pricing be structured to allow both small
and large domains alike to participate?
3.13. Centralized SIP Providers 3.13. Centralized SIP Providers
This technique is a variation on the circles of trust described in This technique is a variation on the circles of trust described in
Section 3.12. A small number of providers get established as "inter- Section 3.12. A small number of providers get established as "inter-
domain SIP providers". These providers act as a SIP-equivalent to domain SIP providers". These providers act as a SIP-equivalent to
the interexchange carriers in the PSTN. Every enterprise, consumer the interexchange carriers in the PSTN. Every enterprise, consumer
SIP provider or other SIP network (call these the local SIP SIP provider or other SIP network (call these the local SIP
providers) connects to one of these inter-domain providers. The providers) connects to one of these inter-domain providers. The
local SIP providers only accept SIP messages from their chosen inter- local SIP providers only accept SIP messages from their chosen inter-
skipping to change at page 20, line 45 skipping to change at page 21, line 9
effective when combined with a white or black list, which itself effective when combined with a white or black list, which itself
requires a strong form of identity. requires a strong form of identity.
In email, two types of authenticated identity have been developed - In email, two types of authenticated identity have been developed -
sender checks and signature-based solutions. sender checks and signature-based solutions.
4.1. Sender Checks 4.1. Sender Checks
In email, DNS resource records have been defined that will allow a In email, DNS resource records have been defined that will allow a
domain that receives a message to verify that the sender is a valid domain that receives a message to verify that the sender is a valid
Message Transfer Agent (MTA) for the sending domain [19] [20] [21] Message Transfer Agent (MTA) for the sending domain [18] [19] [20]
[22]. They don't prevent spam by themselves, but may help in [21]. They don't prevent spam by themselves, but may help in
preventing spoofed emails. As has been mentioned several times, a preventing spoofed emails. As has been mentioned several times, a
form of strong authenticated identity is key in making many other form of strong authenticated identity is key in making many other
anti-spam techniques work. anti-spam techniques work.
Are these techniques useful for SIP? They can be used for SIP but Are these techniques useful for SIP? They can be used for SIP but
are not necessary. In email, there are no standards established for are not necessary. In SIP, TLS with mutual authentication can be
securely identifying the identity of the sending domain of a message. used inter-domain. A provider receiving a message can then reject
In SIP, however, TLS with mutual authentication can be used inter- any message coming from a domain that does not match the asserted
domain. A provider receiving a message can then reject any message identity of the sender of the message. Such a policy only works in
coming from a domain that does not match the asserted identity of the the "trapezoid" model of SIP, whereby there are only two domains in
sender of the message. Such a policy only works in the "trapezoid" any call - the sending domain, which is where the originator resides,
model of SIP, whereby there are only two domains in any call - the and the receiving domain. These techniques are discussed in Section
sending domain, which is where the originator resides, and the 26.3.2.2 of RFC 3261 [2]. In forwarding situations, the assumption
receiving domain. These techniques are discussed in Section 26.3.2.2 no longer holds and these techniques no longer work. However, the
of RFC 3261 [2]. In forwarding situations, the assumption no longer authenticated identity mechanism for SIP, discussed in Section 5,
holds and these techniques no longer work. does work in more complex network configurations and provides fairly
strong assertion of identity.
However, the authenticated identity mechanism for SIP, discussed
below, does work in more complex network configurations and provides
fairly strong assertion of identity.
4.2. Signature-Based Techniques 4.2. Signature-Based Techniques
Domain Keys Identified Mail (DKIM) [16] (and several non-standard Domain Keys Identified Mail (DKIM) Signatures[23] (and several non-
techniques that preceded it) provide stronger identity assertions by standard techniques that preceded it) provide strong identity
allowing the sending domain to sign an email, and then providing assertions by allowing the sending domain to sign an email, and then
mechanisms by which the receiving MTA or Mail User Agent (MUA) can providing mechanisms by which the receiving MTA or Mail User Agent
validate the signature. (MUA) can validate the signature.
Unfortunately, when used with blacklists, this kind of authenticated Unfortunately, when used with blacklists, this kind of authenticated
identity is only as useful as the fraction of the emails which identity is only as useful as the fraction of the emails which
utilize it. This is partly true for whitelists as well; if any utilize it. This is partly true for whitelists as well; if any
unauthenticated email is accepted for an address on a white list, a unauthenticated email is accepted for an address on a white list, a
spammer can spoof that address. However a white list can be spammer can spoof that address. However a white list can be
effective with limited deployment of DKIM if all of the people on the effective with limited deployment of DKIM if all of the people on the
white list are those whose domains are utilizing the mechanism. white list are those whose domains are utilizing the mechanism, and
the users on that whitelist aren't zombies.
This kind of identity mechanism is also applicable to SIP, and is in This kind of identity mechanism is also applicable to SIP, and is in
fact exactly what is defined by SIP's authenticated identity fact exactly what is defined by SIP's authenticated identity
mechanism [18] mechanism [17].
Other signature based approaches for email include S/MIME[24] and
OpenPGP[25].
5. Authenticated Identity in SIP 5. Authenticated Identity in SIP
One of the key parts of many of the solutions described above is the One of the key parts of many of the solutions described above is the
ability to securely identify the identity of a sender of a SIP ability to securely identify the sender of a SIP message. SIP
message. SIP provides a secure solution for this problem, and it is provides a secure solution for this problem, called SIP Identity
important to discuss it here. [17], and it is important to discuss it here.
The solution starts by having each domain authenticate its own users. The solution starts by having each domain authenticate its own users.
SIP provides HTTP digest authentication as part of the core SIP SIP provides HTTP digest authentication as part of the core SIP
specification, and all clients and servers are required to support specification, and all clients and servers are required to support
it. Indeed, digest is widely deployed for SIP. However, digest it. Indeed, digest is widely deployed for SIP. However, digest
alone has many known vulnerabilities, most notably offline dictionary alone has many known vulnerabilities, most notably offline dictionary
attacks. These vulnerabilities are all resolved by having each attacks. These vulnerabilities are all resolved by having each
client maintain a persistent TLS connection to the server. The client maintain a persistent TLS connection to the server. The
client verifies the server identity using TLS, and then authenticates client verifies the server identity using TLS, and then authenticates
itself to the server using a digest exchange over TLS. This itself to the server using a digest exchange over TLS. This
technique, which is also documented in RFC 3261, is very secure but technique, which is also documented in RFC 3261, is very secure but
not widely deployed yet. In the long term, this approach will be not widely deployed yet. In the long term, this approach will be
necessary for the security properties needed to prevent SIP spam. necessary for the security properties needed to prevent SIP spam.
Once a domain has authenticated the identity of a user, when it Once a domain has authenticated the identity of a user, when it
relays a message from that user to another domain, the sending domain relays a message from that user to another domain, the sending domain
can assert the identity of the sender, and include a signature to can assert the identity of the sender, and include a signature to
validate that assertion. This is done using the SIP identity validate that assertion. This is done using the SIP identity
mechanism [18]. mechanism [17].
A weaker form of identity assertion is possible using the P-Asserted- A weaker form of identity assertion is possible using the P-Asserted-
Identity header field [5], but this technique requires mutual trust Identity header field [5], but this technique requires mutual trust
among all domains. Unfortunately, this becomes exponentially harder among all domains. Unfortunately, this becomes exponentially harder
to provide as the number of interconnected domains grows. As that to provide as the number of interconnected domains grows. As that
happens, the value of the identity assertion becomes equal to the happens, the value of the identity assertion becomes equal to the
trustworthiness of the least trustworthy domain. Since spam is a trustworthiness of the least trustworthy domain. Since spam is a
consequence of untrusted domains and users that get connected to the consequence of the receiving domain not being able to trust the
network, the P-Asserted-Identity technique becomes ineffective at sending domains to disallow the hosts in the sending to send spam,
exactly the same levels of interconnectness that introduce spam. the P-Asserted-Identity technique becomes ineffective at exactly the
same levels of interconnectness that introduce spam.
Consider the following example to help illustrate this fact. A Consider the following example to help illustrate this fact. A
malicious domain, let us call them spam.example.com, would like to malicious domain, let us call them spam.example.com, would like to
send SIP INVITE requests with false P-Asserted-Identity, indicating send SIP INVITE requests with false P-Asserted-Identity, indicating
users outside of its own domain. spam.example.com finds a regional users outside of its own domain. spam.example.com finds a regional
SIP provider in a small country who, due to its small size and SIP provider in a small country who, due to its small size and
disinterest in spam, accepts any P-Asserted-Identity from its disinterest in spam, accepts any P-Asserted-Identity from its
customers without verification. This provider, in turn, connects to customers without verification. This provider, in turn, connects to
a larger, interconnect provider. They do ask each of their customers a larger, interconnect provider. They do ask each of their customers
to verify P-Asserted-Identity but have no easy way of enforcing it. to verify P-Asserted-Identity but have no easy way of enforcing it.
skipping to change at page 23, line 30 skipping to change at page 23, line 41
others, all work best when applied only to new requests, and others, all work best when applied only to new requests, and
successful completion of an introduction results in the placement successful completion of an introduction results in the placement
of a user on a white list. However, usage of white lists depends of a user on a white list. However, usage of white lists depends
on strong identity assertions. Consequently, any network that on strong identity assertions. Consequently, any network that
interconnects with others should make use of strong SIP identity interconnects with others should make use of strong SIP identity
as described in RFC 4474. P-Asserted-Identity is not strong as described in RFC 4474. P-Asserted-Identity is not strong
enough. enough.
White Lists: Secondly, with a strong identity system in place, White Lists: Secondly, with a strong identity system in place,
networks are recommended to make use of white lists. These are networks are recommended to make use of white lists. These are
ideally built off of the existing buddy lists if present. If not, ideally built off existing buddy lists if present. If not,
separate white lists can be managed for spam. Placement on these separate white lists can be managed for spam. Placement on these
lists can be manual or based on the successful completion of one lists can be manual or based on the successful completion of one
or more introduction mechanisms. or more introduction mechanisms.
Solve the Introduction Problem: This in turn leads to the final Solve the Introduction Problem: This in turn leads to the final
recommendation to be made. Network designers should make use of recommendation to be made. Network designers should make use of
one or more mechanisms meant to solve the introduction problem. one or more mechanisms meant to solve the introduction problem.
Indeed, it is possible to use more than one and combine the Indeed, it is possible to use more than one and combine the
results through some kind of weight. A user that successfully results through some kind of weight. A user that successfully
completes the introduction mechanism can be automatically added to completes the introduction mechanism can be automatically added to
the white list. Of course, that can only be done usefully if the white list. Of course, that can only be done usefully if
their identity is verified by RFC 4474. The set of mechanisms for their identity is verified by SIP Identity. The set of mechanisms
solving the introduction problem, as described in this document, for solving the introduction problem, as described in this
are based on some (but not all) of the techniques known and used document, are based on some (but not all) of the techniques known
at the time of writing. Providers of SIP services should keep and used at the time of writing. Providers of SIP services should
tabs on solutions in email as they evolve, and utilize the best of keep tabs on solutions in email as they evolve, and utilize the
what those techniques have to offer. best of what those techniques have to offer.
Don't Wait Until its Too Late: But perhaps most importantly, Don't Wait Until its Too Late: But perhaps most importantly,
providers should not ignore the spam problem until it happens! providers should not ignore the spam problem until it happens! As
That is the pitfall email fell into. As soon as a provider inter- soon as a provider inter-connects with other providers, or allows
connects with other providers, or allows SIP messages from the SIP messages from the open Internet, that provider must consider
open Internet, that provider must consider how they will deal with how they will deal with spam.
spam.
7. Additional Work 7. Additional Work
Though the above framework serves as a good foundation on which to Though the above framework serves as a good foundation on which to
deal with spam in SIP, there are gaps, some of which can be addressed deal with spam in SIP, there are gaps, some of which can be addressed
by additional work that has yet to be undertaken. by additional work that has yet to be undertaken.
One of the difficulties with the strong identity techniques is that a One of the difficulties with the strong identity techniques is that a
receiver of a SIP request without an authenticated identity cannot receiver of a SIP request without an authenticated identity cannot
know whether the request lacked such an identity because the know whether the request lacked such an identity because the
originating domain didn't support it, or because a man-in-the-middle originating domain didn't support it, or because a man-in-the-middle
removed it. As a result, transition mechanisms should be put in removed it. As a result, transition mechanisms should be put in
place to allow these to be differentiated. Without it, the value of place to allow these to be differentiated. Without it, the value of
the identity mechanism is much reduced. the identity mechanism is much reduced.
8. Security Considerations 8. Security Considerations
This memo is entirely devoted to issues relating to secure usage of This document is entirely devoted to issues relating to spam in SIP
SIP services on the Internet. and references a variety of security mechanisms in support of that
goal.
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations associated with this specification. There are no IANA considerations associated with this specification.
10. Acknowledgements 10. Acknowledgements
The authors would like to thank Rohan Mahy for providing information The authors would like to thank Rohan Mahy for providing information
on Habeas, Baruch Sterman for providing costs on VoIP termination on Habeas, Baruch Sterman for providing costs on VoIP termination
services, and Gonzalo Camarillo and Vijay Gurbani for their reviews. services, and Gonzalo Camarillo and Vijay Gurbani for their reviews.
skipping to change at page 24, line 40 skipping to change at page 25, line 4
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations associated with this specification. There are no IANA considerations associated with this specification.
10. Acknowledgements 10. Acknowledgements
The authors would like to thank Rohan Mahy for providing information The authors would like to thank Rohan Mahy for providing information
on Habeas, Baruch Sterman for providing costs on VoIP termination on Habeas, Baruch Sterman for providing costs on VoIP termination
services, and Gonzalo Camarillo and Vijay Gurbani for their reviews. services, and Gonzalo Camarillo and Vijay Gurbani for their reviews.
Useful comments and feedback were provided by Nils Ohlmeir, Tony Useful comments and feedback were provided by Nils Ohlmeir, Tony
Finch, Randy Gellens and Yakov Shafranovich. Jon Peterson wrote some Finch, Randy Gellens, Lisa Dusseault, Sam Hartman, Chris Newman, Tim
of the text in this document and has contributed to the work as it Polk, Donald Eastlake, and Yakov Shafranovich. Jon Peterson wrote
has moved along. some of the text in this document and has contributed to the work as
it has moved along.
11. Informative References 11. Informative References
[1] Campbell, B., "The Message Session Relay Protocol", [1] Campbell, B., "The Message Session Relay Protocol",
draft-ietf-simple-message-sessions-18 (work in progress), draft-ietf-simple-message-sessions-19 (work in progress),
December 2006. February 2007.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[3] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and [3] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and
D. Gurle, "Session Initiation Protocol (SIP) Extension for D. Gurle, "Session Initiation Protocol (SIP) Extension for
Instant Messaging", RFC 3428, December 2002. Instant Messaging", RFC 3428, December 2002.
[4] Roach, A., "Session Initiation Protocol (SIP)-Specific Event [4] Roach, A., "Session Initiation Protocol (SIP)-Specific Event
skipping to change at page 25, line 37 skipping to change at page 25, line 47
August 2004. August 2004.
[8] Rosenberg, J., "An Extensible Markup Language (XML) Based [8] Rosenberg, J., "An Extensible Markup Language (XML) Based
Format for Watcher Information", RFC 3858, August 2004. Format for Watcher Information", RFC 3858, August 2004.
[9] Faltstrom, P. and M. Mealling, "The E.164 to Uniform Resource [9] Faltstrom, P. and M. Mealling, "The E.164 to Uniform Resource
Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Identifiers (URI) Dynamic Delegation Discovery System (DDDS)
Application (ENUM)", RFC 3761, April 2004. Application (ENUM)", RFC 3761, April 2004.
[10] Rosenberg, J., "The Extensible Markup Language (XML) [10] Rosenberg, J., "The Extensible Markup Language (XML)
Configuration Access Protocol (XCAP)", Configuration Access Protocol (XCAP)", RFC 4825, May 2007.
draft-ietf-simple-xcap-12 (work in progress), October 2006.
[11] Rosenberg, J., "Presence Authorization Rules", [11] Rosenberg, J., "Presence Authorization Rules",
draft-ietf-simple-presence-rules-08 (work in progress), draft-ietf-simple-presence-rules-09 (work in progress),
October 2006. March 2007.
[12] Rosenberg, J., "A Framework for Consent-Based Communications in [12] Rosenberg, J., "A Framework for Consent-Based Communications in
the Session Initiation Protocol (SIP)", the Session Initiation Protocol (SIP)",
draft-ietf-sip-consent-framework-01 (work in progress), draft-ietf-sip-consent-framework-01 (work in progress),
November 2006. November 2006.
[13] Camarillo, G., "A Document Format for Requesting Consent", [13] Camarillo, G., "A Document Format for Requesting Consent",
draft-ietf-sipping-consent-format-01 (work in progress), draft-ietf-sipping-consent-format-03 (work in progress),
November 2006. April 2007.
[14] Rosenberg, J., "A Framework for Application Interaction in the [14] Rosenberg, J., "A Framework for Application Interaction in the
Session Initiation Protocol (SIP)", Session Initiation Protocol (SIP)",
draft-ietf-sipping-app-interaction-framework-05 (work in draft-ietf-sipping-app-interaction-framework-05 (work in
progress), July 2005. progress), July 2005.
[15] Burger, E. and M. Dolly, "A Session Initiation Protocol (SIP) [15] Burger, E. and M. Dolly, "A Session Initiation Protocol (SIP)
Event Package for Key Press Stimulus (KPML)", RFC 4730, Event Package for Key Press Stimulus (KPML)", RFC 4730,
November 2006. November 2006.
[16] Hansen, T., "DomainKeys Identified Mail (DKIM) Service [16] Rosenberg, J., "Applying Loose Routing to Session Initiation
Overview", draft-ietf-dkim-overview-03 (work in progress),
October 2006.
[17] Rosenberg, J., "Applying Loose Routing to Session Initiation
Protocol (SIP) User Agents (UA)", Protocol (SIP) User Agents (UA)",
draft-rosenberg-sip-ua-loose-route-00 (work in progress), draft-rosenberg-sip-ua-loose-route-01 (work in progress),
October 2006. June 2007.
[18] Peterson, J. and C. Jennings, "Enhancements for Authenticated [17] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)", Identity Management in the Session Initiation Protocol (SIP)",
RFC 4474, August 2006. RFC 4474, August 2006.
[19] Allman, E. and H. Katz, "SMTP Service Extension for Indicating [18] Allman, E. and H. Katz, "SMTP Service Extension for Indicating
the Responsible Submitter of an E-Mail Message", RFC 4405, the Responsible Submitter of an E-Mail Message", RFC 4405,
April 2006. April 2006.
[20] Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail", [19] Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail",
RFC 4406, April 2006. RFC 4406, April 2006.
[21] Lyon, J., "Purported Responsible Address in E-Mail Messages", [20] Lyon, J., "Purported Responsible Address in E-Mail Messages",
RFC 4407, April 2006. RFC 4407, April 2006.
[22] Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) for [21] Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) for
Authorizing Use of Domains in E-Mail, Version 1", RFC 4408, Authorizing Use of Domains in E-Mail, Version 1", RFC 4408,
April 2006. April 2006.
[23] Abadi, M., Burrows, M., Manasse, M., and T. Wobber, "Moderately [22] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
Protocol Version 1.1", RFC 4346, April 2006.
[23] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., and
M. Thomas, "DomainKeys Identified Mail (DKIM) Signatures",
RFC 4871, May 2007.
[24] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004.
[25] Elkins, M., Del Torto, D., Levien, R., and T. Roessler, "MIME
Security with OpenPGP", RFC 3156, August 2001.
[26] Abadi, M., Burrows, M., Manasse, M., and T. Wobber, "Moderately
Hard, Memory Bound Functions, NDSS 2003", February 2003. Hard, Memory Bound Functions, NDSS 2003", February 2003.
[24] Abadi, M., Burrows, M., Birrell, A., Dabek, F., and T. Wobber, [27] Abadi, M., Burrows, M., Birrell, A., Dabek, F., and T. Wobber,
"Bankable Postage for Network Services, Proceedings of the 8th "Bankable Postage for Network Services, Proceedings of the 8th
Asian Computing Science Conference, Mumbai, India", Asian Computing Science Conference, Mumbai, India",
December 2003. December 2003.
[25] Clayton, R. and B. Laurie, "Proof of Work Proves not to Work, [28] Clayton, R. and B. Laurie, "Proof of Work Proves not to Work,
Third Annual Workshop on Economics and Information Security", Third Annual Workshop on Economics and Information Security",
May 2004. May 2004.
Authors' Addresses Authors' Addresses
Jonathan Rosenberg Jonathan Rosenberg
Cisco Cisco
600 Lanidex Plaza 600 Lanidex Plaza
Parsippany, NJ 07054 Parsippany, NJ 07054
US US
skipping to change at page 27, line 23 skipping to change at page 27, line 42
Phone: +1 973 952-5000 Phone: +1 973 952-5000
Email: jdrosen@cisco.com Email: jdrosen@cisco.com
URI: http://www.jdrosen.net URI: http://www.jdrosen.net
Cullen Jennings Cullen Jennings
Cisco Cisco
170 West Tasman Dr. 170 West Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
US US
Phone: +1 408 527-9132 Phone: +1 408 421-9990
Email: fluffy@cisco.com Email: fluffy@cisco.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
 End of changes. 80 change blocks. 
240 lines changed or deleted 270 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/