White Paper Sms Spam Nexus Net View Ed 2.1 3a1d3q

Blocking of SMS Spam and Fraud White Paper

Document:

WPSMSWBV2.1

Issue date:

31MAY2004

Author:

Walter Buehler Senior Product Manager

Issued by:

Nexus Telecom AG, Switzerland

We work to improve your network

Blocking of SMS Spam and Fraud White Paper

Abstract The problem of SMS Spam and fraud is growing fast and is starting to jeopardize mobile messaging, a very lucrative market for wireless network operators. This fact is emphasized by different publications; some state SMS Spam is one of the biggest threats to the revenue potential of messaging services. This White Paper describes several fraud and spamming cases and what can be done against them.

Nexus Telecom, Switzerland

May 2004

Page 2 of 18

Blocking of SMS Spam and Fraud White Paper

Table of Contents ABSTRACT ..............................................................................................................................2 TABLE OF CONTENTS ...........................................................................................................3 INTRODUCTION......................................................................................................................4 Motivation........................................................................................................................4 The Technology behind SMS..........................................................................................5 THE THREE CASES................................................................................................................6 SMS Spamming/Flooding Case ......................................................................................6 Impact on the network operator .......................................................................................... 6 How to avoid it..................................................................................................................... 7

The Faked SMS Case.....................................................................................................8 Impact on the network operator .......................................................................................... 8 How to avoid it..................................................................................................................... 9

SMS Spoofing Case......................................................................................................10 Impact on the network operator ........................................................................................ 10 How to avoid it................................................................................................................... 11

SOLUTION DESCRIPTION ...................................................................................................12 SMS Spam and Fraud Detection Application................................................................12 For the SMS Spamming/Flooding Case ........................................................................... 13 For the Faked SMS Case ................................................................................................. 13 SMS Spoofing Case.......................................................................................................... 13

About NexusNETVIEW Signaling Surveillance System................................................14 ABBREVIATIONS ..................................................................................................................16 ABOUT NEXUS TELECOM ...................................................................................................17

Nexus Telecom, Switzerland

May 2004

Page 3 of 18

Blocking of SMS Spam and Fraud White Paper

Introduction Motivation Network operators have a high interest in avoiding SMS Spam. Not only does SMS Spam by nature generate high traffic, potential flooding network elements or the whole network, but end-s are rather helpless in controlling the SMS Spam problem. Unlike e-mail, "spammed" end-s cannot take any counter-measures against the increasing number of unwanted SMS. Thus it is up to the network operator to help block unsolicited SMS. And if the operator cannot do so he has to expect churn. Another closely related issue to SMS Spam is SMS fraud, which has a direct impact on the revenue stream of the network operator.

Nexus Telecom, Switzerland

May 2004

Page 4 of 18

Blocking of SMS Spam and Fraud White Paper

The Technology behind SMS Figure 1 shows two GSM networks and the components relevant for delivering an SMS from end- A to end- B. In general, the following message flow exists: 1. SMS is sent via MSC/VLR to SMS-C in PLMN A. This is a MAP "Forward SM" message, including the source MSISDN A and the destination MSISDN B. 2. Since the end- B is in the PLMN B, the SMS-C has to get the routing information from the HLR of the PLMN B. To do so, it sends a MAP "Send Routing Info for SM" with the MSISDN B number. 3. The HLR then sends back the IMSI of end- B and its VLR. 4. The SMS-C delivers the SMS as a MAP message via the MSC/VLR to the end- B.

Figure 1: Network Layout and SMS-related Message Flow

Nexus Telecom, Switzerland

May 2004

Page 5 of 18

Blocking of SMS Spam and Fraud White Paper

The Three Cases SMS Spamming/Flooding Case From the viewpoint of an end- any single SMS could be an unwanted and annoying SMS Spam. In single instances, no system can protect itself. But normally SMS Spamming is not just a single event message to one subscriber, but a large amount of SMS to multiple subscribers. In the extreme these multiple SMS pose the danger of overloading the network. This is called SMS Flooding and is defined as a massive load of SMS to one or several destinations, independent of whether these SMS are valid or invalid.

Figure 2: SMS Spam/Flooding Case

Impact on the network operator SMS Spamming is one reason for churn. Hence why for an operator blocking SMS Spam becomes more and more a competitive advantage.

Nexus Telecom, Switzerland

May 2004

Page 6 of 18

Blocking of SMS Spam and Fraud White Paper

SMS Flooding can temporarily overload parts of the wireless network and hinder delivery of other SMS. In rare cases, it can block other network components and cause outages.

How to avoid it SMS Flooding can be detected by supervising SMS traffic and checking by source, and in rarer cases by destination, to determine it is above an expected level. If this is so, then the source address should be blocked. Another clear identification of SMS Spam and Flooding is the fact that the high load of traffic is generated by SMS with the same content. Therefore it is recommended to check not only for abnormal traffic profiles from a certain source or destination, but also for repetitive content.

Nexus Telecom, Switzerland

May 2004

Page 7 of 18

Blocking of SMS Spam and Fraud White Paper

The Faked SMS Case The Faked SMS have manipulated SC or MAP addresses. The source address of the SMS pretends that these are sent from another network (in Figure 3 from PLMN A). To do so, it has to know the end-s' IMSI, otherwise an HLR interaction has to take place. In this case the Fake SMS Source has to use his own real SC and MAP SMS-C address. If the VLR is unknown, the source has to send the SMS to every VLR in the network, which together with the false IMSI addresses can generate a heavy load in the network equal to SMS Flooding.

Figure 3: Faked SMS Case

Impact on the network operator Faked SMS lead to wrong interconnection billing. For example, if the SC and MAP addresses are wrong, PLMN B will not be paid for the delivery of these SMS. And, of course, Faked SMS may be the reason for SMS Flooding with overload in the network. Nexus Telecom, Switzerland

May 2004

Page 8 of 18

Blocking of SMS Spam and Fraud White Paper

How to avoid it The first defense line is at the SS7 carrier, which should screen all direct SS7 links to determine that SC addresses match the connected operators. If the SC address does not match, the message is fake and has to be deleted. The second defense line is at the operator of the PLMN B. It can detect: • Transaction address mismatch • "Unusual" originating SC addresses • Unknown IMSI messages ("unknown subscriber") • Unexpected high number of messages from an often unknown source, possibly with the same content.

If this is the case then the source address should be blocked. The third defense line is at the operator of the PLMN A, which should match the SMS sent and the TCAP responses from the VLR. If there is a clear mismatch, it is known that somebody is misusing his identity, although the operator cannot influence the delivery of the faked SMS as it occurs.

Nexus Telecom, Switzerland

May 2004

Page 9 of 18

Blocking of SMS Spam and Fraud White Paper

SMS Spoofing Case The SMS sent to the SMS-C have a manipulated originating MSISDN A number. One example is shown in Figure 4, where the "SMS Spoofing Source" simulates a roaming end from PLMN A, sending an SMS to a foreign end- in PLMN B. The "Spoofing SMS Source" is a specific system with an SS7 application. It uses real or wrong MSISDN A numbers, originating VLR and / or SC addresses.

Figure 4: SMS Spoofing Case

Impact on the network operator The main issue for the operator of PLMN A is the revenue loss due to the fact that the roaming end- can not be billed when a wrong MSISDN number is used and has to pay the operator of the PLMN B for the delivery of the SMS. SMS Flooding could be another problem the network operator faces.

Nexus Telecom, Switzerland

May 2004

Page 10 of 18

Blocking of SMS Spam and Fraud White Paper

How to avoid it The MSISDN number should be checked to determine that it is a real one and the VLR location should be checked with entry in the HLR. If one or both are identified as wrong, the message should not be sent. For an independent monitoring system, SMS Spoofing is a typical fraud case. It checks for high usage MSISDN and creates an alarm if the usage is above a certain limit.

Nexus Telecom, Switzerland

May 2004

Page 11 of 18

Blocking of SMS Spam and Fraud White Paper

Solution Description SMS Spam and Fraud Detection Application The NexusNETVIEW Signaling Surveillance System meets all major technical and operational requirements in PSTN and GSM networks. Its Fraud Detection application is used to detect fraudulent behavior of end-s. It is designed for a very high numbers of calls. This is a solid base for the SMS Spam and Fraud Detection application, because this type of fraud requires the highest performance.

Figure 5: NexusNETVIEW Configuration

For Blocking SMS Spam & Fraud, the NexusNETVIEW monitors two points in the wireless network: • International MAP gateway • MAP interface

Nexus Telecom, Switzerland

May 2004

Page 12 of 18

Blocking of SMS Spam and Fraud White Paper

NexusNETVIEW detects different SMS SPAM and Fraud patterns and generates an on-line alarm to let the network act accordingly.

For the SMS Spamming/Flooding Case NexusNETVIEW detects SMS Spamming/Flooding by supervising the SMS traffic and checking for a high number of SMS from or to foreign SMS-C in short time intervals. NexusNETVIEW holds profiles per source/destination and creates an alarm event in case a -defined threshold level is reached. In addition, the system can check SMS on repetitive content from the same source and feed it to the threshold alarm manager. If anyone threshold is met NexusNETVIEW generates an alarm with information about the SMS source address that has to be blocked.

For the Faked SMS Case First, NexusNETVIEW can be used by an SS7 carrier. The system screens all SS7 links to determine that the SC addresses match with the connected operators. If the SC address in a message does not match, it is faked and has to be deleted. NexusNETVIEW is able to generate an alarm according to SC address mismatch. NexusNETVIEW monitors MAP and TCAP messages at the border of the network of a wireless network operator. Therefore it can detect: • Transaction address mismatch is an indication for wrong SC addresses; • "Unusual" originating SC addresses using the profiling mechanism; • Unknown IMSI messages ("unknown subscriber"); and, • An unexpected high number of messages from an often unknown source, possibly with the same content.

If detected, NexusNETVIEW generates an alarm with the information about the source address that should be blocked.

SMS Spoofing Case NexusNETVIEW will check for high usage of MSISDN numbers in SMS. This is an indication so a SMS Spam or spoofing. It creates an alarm if the usage is above a certain limit.

Nexus Telecom, Switzerland

May 2004

Page 13 of 18

Blocking of SMS Spam and Fraud White Paper

About NexusNETVIEW Signaling Surveillance System NexusNETVIEW is the most powerful signaling surveillance system for GSM, GPRS, UMTS and VoIP available today. On-site data acquisition devices collect the raw signaling and data. The acquired and pre-processed information is transferred to the central application server located in the NMC. Local and remote s can access and make use of the various applications according to their specific tasks. The following applications are at the 's disposal: • Network and call status supervision for help desk and NMC o

Pro-active overview (Network Health Monitoring)

o

Real-time call traces

o

Off-line call traces on historical data

• Performance and QoS Reporting according to ITU-T Q.752/E.422 for NMC and the quality department: o

Performance measurements for network planning and quality reporting

o

On-line network health and status surveillance

o

Threshold alarm management

o

Alarm management via Q3 or SNMP interface (optional)

• NMC network operation and trouble-shooting o

Call tracing

o

Protocol analysis

• Destination and origin-oriented on-line traffic management • Fraud detection • Inter-carrier ing • Welcome SMS

Major strengths of the NexusNETVIEW Signaling Surveillance System: • Highly scaleable, modular system architecture built up with standard system hardware and software components, standard networking interfaces and protocols. • Ready for extended applications such as performance and QoS reporting according to the recommendations of the Telecommunication Management Forum. • Compact high-performance probes with mass storage for up to 30 days full rollback on all raw data of the entire SS7 signaling traffic and call detail records (up to 60 days CDR storage optional).

Nexus Telecom, Switzerland

May 2004

Page 14 of 18

Blocking of SMS Spam and Fraud White Paper

• X.700 Manager/Agent model for maximum performance over LAN/WAN and for X.733 alarm management via the optional Q3 alarm interface. SNMP integrations are also ed. • Ready for future applications such as VoIP QoS testing, connectionless traffic ing and billing, UMTS and configuration management.

To learn more about NexusNETVIEW, please visit: http://www.NexusNETVIEW.com

Nexus Telecom, Switzerland

May 2004

Page 15 of 18

Blocking of SMS Spam and Fraud White Paper

Abbreviations BSS

Base Station Subsystem

CDR

Call Data Record

GERAN

GSM EDGE Radio Access Network

GPRS

General Packet Radio Service

GSM

Global System for Mobile Communication

HLR

Home Location

IGP

Interior Gateway Protocol

IMSI

International Mobile Subscriber Identity

IP

Internet Protocol

LAN

Local Area Network

MAP

Mobile Application Part

MSC/VLR

Mobile Switching Center / Visitor Location

MSIDN

Mobile Subscriber ISDN Number

MSU

Message Signaling Unit

NMC

Network Management Center

OSS

Operations System

PLMN

Public Land Mobile Network

PSTN

Public Switched Telecom Network

QoS

Quality of Service

SC

Signaling Connection Control Part

SMS

Short Message Service

SMS-C

SMS Center

SNMP

Simple Network Management Protocol

SS7

Signaling System Number 7

STP

Signaling Transfer Point

TCAP

Transaction Capability Application Part

T/IP

Transmission Control Protocol / Internet Protocol

UMTS

Universal Mobile Telecommunications System

VoIP

Voice over IP

WAN

Wide Area Network

Nexus Telecom, Switzerland

May 2004

Page 16 of 18

Blocking of SMS Spam and Fraud White Paper

About Nexus Telecom Founded in 1994, Nexus Telecom (www.nexustelecom.com) is a privately-held company with headquarters in Zurich, Switzerland and a North American subsidiary in Ottawa, Canada. With over 200 employees, Nexus Telecom is a major OSS/BSS vendor delivering sophisticated state-of-the-art telecom management solutions to 2G, 3G, NGN and VoIP service providers and network operators worldwide. Nexus Telecom specializes in Service Assurance, Revenue Assurance and Network/Service Testing solutions, ing the most recently developed technologies and standards. Nexus Telecom's fast time-to-market strategy is to gain early in-depth know-how about network technologies through strong development partnerships with leading network manufacturers such as Siemens, Lucent, Nortel, Nokia, and Ericsson, to name a few. With solutions deployed in over 100 countries, Nexus Telecom's installed customer base spans the globe, assuring service quality and revenue streams for many of the world's best-known telecom operators. For small and large service providers alike, including the world's largest GSM/UMTS network operated by T-Mobile, the Nexus Telecom Zurich Headquarters

highly scalable and modular E2E solutions from Nexus Telecom maximize the service provider's competitive edge through excellent

ROI, quick and smooth launch of new services, and greatly increased end-customer satisfaction. Nexus Telecom is certified according to the ISO 9001 Quality and Management Standards.

Nexus Telecom, Switzerland

May 2004

Page 17 of 18

 Nexus Telecom AG, CH-8048 Zurich, Switzerland This document and all the information contained herein is subject to change without notice and should not be construed as a commitment by Nexus Telecom. Although we believe the contents of this document to be accurate, Nexus Telecom assumes no responsibility for any errors that may occur in this document.

Nexus Telecom, and all Nexus Logos are trademarks of Nexus Telecom AG. All other trademarks are acknowledged and are the property of their respective owners.

Visit our website at www.nexustelecom.com Nexus Telecom AG System Solutions

Nexus Telecom AG Wireless Network Systems

Nexus Telecom (Americas) Inc. (NA and CALA)

Feldbachstrasse 80

Tel.

+41 55 254 5111

Muertschenstrasse 27

Tel.

+41 44 355 6611

Suite 100

Tel.

+1 613 224 2637

P.O. Box 215

Fax

+41 55 254 5112

P.O. Box 1413

Fax

+41 44 355 6612

1101 Prince of Wales Drive Fax

+1 613 224 2761

CH-8048 Zurich

[email protected]

Ottawa, Ontario

[email protected]

Canada K2C 3W7

[email protected]

CH-8634 Hombrechtikon [email protected] Switzerland