Spam, defined as the transmission of bulk unsolicited messages, has plagued Internet e-mail. Unfortunately, spam can affect any system that enables user-to-user communications, such as Voice over Internet Protocol (VoIP) telephony. Spam transmitted over Internet telephony connections is commonly referred to as “SPIT.”
Rosenberg et al. discuss SPIT-related issues in “The Session Initiation Protocol (SIP) and Spam,” Internet Draft publication draft-ietf-sipping-spam-00 (Feb. 13, 2005), which is incorporated herein by reference. SIP itself is described by Rosenberg et al. in Request for Comments (RFC) 3261 of the Internet Engineering Task Force (IETF), entitled “SIP: Session Initiation Protocol” (June, 2002), which is also incorporated herein by reference. These documents, as well as other Internet drafts and RFCs cited hereinbelow, can be accessed at www.ietf.org. Rosenberg et al. explain that SIP is used for multimedia communications between users, including voice, video, instant messaging and presence. The authors predict that SIP networks will be targeted by increasing amounts of spam. They suggest a framework for anti-spam in SIP combining identity authentication, “whitelists,” a “consent framework” and other techniques.
A number of authors have suggested ways in which the security of SIP networks can be enhanced. For example, Jennings et al. describe enhancements that may be made to SIP for this purpose in IETF RFC 3325, entitled “Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks” (November, 2002), which is incorporated herein by reference. This document describes private extensions to SIP that enable a network of trusted SIP servers to assert the identity of authenticated users, as well as the application of existing privacy mechanisms to the identity problem. The use of these extensions is applicable, however, only inside an administrative domain with previously agreed-upon policies for generation, transport and use of such information. Jennings et al. note that they do not offer a general privacy or identity model suitable for use between different trust domains, or for use in the Internet at large.
Peterson et al. describe a mechanism for securely identifying originators of ISP messages in Internet Draft publication draft-ietf-sip-identity-04, entitled “Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)” (February, 2005), which is incorporated herein by reference. This document recommends practices and conventions for identifying end-users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities. The authors describe a mediated authentication architecture for SIP, in which requests are sent to a server in the user's local domain, which authenticates such requests. Once a message has been authenticated, the local domain then informs other SIP entities that the sending user has been authenticated and has been authorized to use the From header field. This draft specifies a means of sharing a cryptographic assurance of end-user SIP identity in an interdomain context, which is based on the concept of an “authentication service” and new SIP headers: Identity and Identity-Info.
Tschofenig et al. describe the use of a Security Assertion Markup Language (SAML) to offer trait-based authorization for SIP, in Internet Draft document draft-tschofenig-sip-saml-02, entitled “Using SAML for SIP” (November, 2004), which is incorporated herein by reference. In trait-based authorization, users are authenticated using roles or traits instead of identity. SAML is an extension of XML for security information exchange. This document defines how SAML assertions are carried in SIP. An assertion is a package of information including authentication statements, attribute statements and authorization decision statements. The assertion is referenced by an artifact, which is an encoded string that servers use to look up an assertion. The source server stores the assertion temporarily. The destination server receives the artifact and uses it to pull the assertion from the source site.
The need for means to combat SPIT is emphasized by U.S. Patent Application Publication US 2005/0281284, which describes a system and method for broadcasting VoIP messages. The method uses random delays to disguise the automated nature of a messaging source, so as to defeat filtering or blocking of the messages.