White Paper SMS Spam Nexus Net View Ed 2.1

8/3/2019 White Paper SMS Spam Nexus Net View Ed 2.1

1/18

Blocking of SMSSpam and Fraud

White Paper

Document: WPSMSWBV2.1

Issue date: 31MAY2004

Author: Walter Buehler

Senior Product Manager

Issued by: Nexus Telecom AG, Switzerland

We work to improve your network


2/18

Blocking of SMS Spam and Fraud

White Paper

Abstract

The problem of SMS Spam and fraud is growing fast and is starting to jeopardize mobile

messaging, a very lucrative market for wireless network operators. This fact is emphasized

by different publications; some state SMS Spam is one of the biggest threats to the revenue

potential of messaging services.

This White Paper describes several fraud and spamming cases and what can be done

against them.

Nexus Telecom, Switzerland May 2004 Page 2 of 18


3/18


White Paper

Table of Contents

ABSTRACT ..............................................................................................................................2TABLE OF CONTENTS ...........................................................................................................3INTRODUCTION......................................................................................................................4

Motivation........................................................................................................................4 The Technology behind SMS..........................................................................................5

THE THREE CASES................................................................................................................6SMS Spamming/Flooding Case......................................................................................6

Impact on the network operator .......................................................................................... 6How to avoid it..................................................................................................................... 7

The Faked SMS Case.....................................................................................................8Impact on the network operator .......................................................................................... 8How to avoid it..................................................................................................................... 9

SMS Spoofing Case......................................................................................................10Impact on the network operator ........................................................................................ 10How to avoid it................................................................................................................... 11

SOLUTION DESCRIPTION ...................................................................................................12SMS Spam and Fraud Detection Application................................................................12

For the SMS Spamming/Flooding Case ........................................................................... 13For the Faked SMS Case ................................................................................................. 13SMS Spoofing Case.......................................................................................................... 13

About NexusNETVIEW Signaling Surveillance System................................................14ABBREVIATIONS ..................................................................................................................16ABOUT NEXUS TELECOM ...................................................................................................17



4/18


White Paper

Introduction

Motivation

Network operators have a high interest in avoiding SMS Spam. Not only does SMS Spam by

nature generate high traffic, potential flooding network elements or the whole network, but

end-users are rather helpless in controlling the SMS Spam problem. Unlike e-mail,

"spammed" end-users cannot take any counter-measures against the increasing number of

unwanted SMS. Thus it is up to the network operator to help block unsolicited SMS. And if

the operator cannot do so he has to expect churn.

Another closely related issue to SMS Spam is SMS fraud, which has a direct impact on the

revenue stream of the network operator.



5/18


White Paper

The Technology behind SMSFigure 1 shows two GSM networks and the components relevant for delivering an SMS from

end-user A to end-user B. In general, the following message flow exists:

1. SMS is sent via MSC/VLR to SMS-C in PLMN A. This is a MAP "Forward SM"

message, including the source MSISDN A and the destination MSISDN B.

2. Since the end-user B is in the PLMN B, the SMS-C has to get the routing information

from the HLR of the PLMN B. To do so, it sends a MAP "Send Routing Info for SM"

with the MSISDN B number.

3. The HLR then sends back the IMSI of end-user B and its VLR.

4. The SMS-C delivers the SMS as a MAP message via the MSC/VLR to the end-user

B.

Figure 1: Network Layout and SMS-related Message Flow



6/18


White Paper

The Three Cases

SMS Spamming/Flooding Case

From the viewpoint of an end-user any single SMS could be an unwanted and annoying SMS

Spam. In single instances, no system can protect itself. But normally SMS Spamming is not

just a single event message to one subscriber, but a large amount of SMS to multiple

subscribers.

In the extreme these multiple SMS pose the danger of overloading the network. This is called

SMS Flooding and is defined as a massive load of SMS to one or several destinations,

independent of whether these SMS are valid or invalid.

Figure 2: SMS Spam/Flooding Case

Impact on the network operator

SMS Spamming is one reason for churn. Hence why for an operator blocking SMS Spam

becomes more and more a competitive advantage.



7/18


White Paper

SMS Flooding can temporarily overload parts of the wireless network and hinder delivery of

other SMS. In rare cases, it can block other network components and cause outages.

How to avoid it

SMS Flooding can be detected by supervising SMS traffic and checking by source, and in

rarer cases by destination, to determine it is above an expected level. If this is so, then the

source address should be blocked.

Another clear identification of SMS Spam and Flooding is the fact that the high load of traffic

is generated by SMS with the same content. Therefore it is recommended to check not only

for abnormal traffic profiles from a certain source or destination, but also for repetitive

content.



8/18


White Paper

The Faked SMS CaseThe Faked SMS have manipulated SCCP or MAP addresses. The source address of the

SMS pretends that these are sent from another network (in Figure 3 from PLMN A). To do

so, it has to know the end-users' IMSI, otherwise an HLR interaction has to take place. In this

case the Fake SMS Source has to use his own real SCCP and MAP SMS-C address.

If the VLR is unknown, the source has to send the SMS to every VLR in the network, which

together with the false IMSI addresses can generate a heavy load in the network equal to

SMS Flooding.

Figure 3: Faked SMS Case


Faked SMS lead to wrong interconnection billing. For example, if the SCCP and MAP

addresses are wrong, PLMN B will not be paid for the delivery of these SMS.

And, of course, Faked SMS may be the reason for SMS Flooding with overload in the

network.



9/18


10/18


White Paper

SMS Spoofing CaseThe SMS sent to the SMS-C have a manipulated originating MSISDN A number. One

example is shown in Figure 4, where the "SMS Spoofing Source" simulates a roaming end-

user from PLMN A, sending an SMS to a foreign end-user in PLMN B. The "Spoofing SMS

Source" is a specific system with an SS7 application. It uses real or wrong MSISDN A

numbers, originating VLR and / or SCCP addresses.

Figure 4: SMS Spoofing Case


The main issue for the operator of PLMN A is the revenue loss due to the fact that the

roaming end-user can not be billed when a wrong MSISDN number is used and has to pay

the operator of the PLMN B for the delivery of the SMS.

SMS Flooding could be another problem the network operator faces.



11/18


White Paper

How to avoid it

The MSISDN number should be checked to determine that it is a real one and the VLRlocation should be checked with entry in the HLR. If one or both are identified as wrong, the

message should not be sent.

For an independent monitoring system, SMS Spoofing is a typical fraud case. It checks for

high usage MSISDN and creates an alarm if the usage is above a certain limit.



12/18


White Paper

Solution Description

SMS Spam and Fraud Detection Application

The NexusNETVIEW Signaling Surveillance System meets all major technical and

operational requirements in PSTN and GSM networks. Its Fraud Detection application is

used to detect fraudulent behavior of end-users. It is designed for a very high numbers of

calls. This is a solid base for the SMS Spam and Fraud Detection application, because this

type of fraud requires the highest performance.

Figure 5: NexusNETVIEW Configuration

For Blocking SMS Spam & Fraud, the NexusNETVIEW monitors two points in the wireless

network:

International MAP gateway

MAP interface



13/18


White Paper

NexusNETVIEW detects different SMS SPAM and Fraud patterns and generates an on-line

alarm to let the network act accordingly.

For the SMS Spamming/Flooding Case

NexusNETVIEW detects SMS Spamming/Flooding by supervising the SMS traffic and

checking for a high number of SMS from or to foreign SMS-C in short time intervals.

NexusNETVIEW holds profiles per source/destination and creates an alarm event in case a

user-defined threshold level is reached. In addition, the system can check SMS on repetitive

content from the same source and feed it to the threshold alarm manager.

If anyone threshold is met NexusNETVIEW generates an alarm with information about the

SMS source address that has to be blocked.

For the Faked SMS Case

First, NexusNETVIEW can be used by an SS7 carrier. The system screens all SS7 links to

determine that the SCCP addresses match with the connected operators. If the SCCP

address in a message does not match, it is faked and has to be deleted. NexusNETVIEW is

able to generate an alarm according to SCCP address mismatch.

NexusNETVIEW monitors MAP and TCAP messages at the border of the network of a

wireless network operator. Therefore it can detect:

Transaction address mismatch is an indication for wrong SCCP addresses;

"Unusual" originating SCCP addresses using the profiling mechanism;

Unknown IMSI messages ("unknown subscriber"); and,

An unexpected high number of messages from an often unknown source, possibly with

the same content.

If detected, NexusNETVIEW generates an alarm with the information about the source

address that should be blocked.

SMS Spoofing Case

NexusNETVIEW will check for high usage of MSISDN numbers in SMS. This is an indication

so a SMS Spam or spoofing. It creates an alarm if the usage is above a certain limit.



14/18


White Paper

About NexusNETVIEW Signaling Surveillance System

NexusNETVIEW is the most powerful signaling surveillance system for GSM, GPRS, UMTSand VoIP available today. On-site data acquisition devices collect the raw signaling and user

data. The acquired and pre-processed information is transferred to the central application

server located in the NMC. Local and remote users can access and make use of the various

applications according to their specific tasks.

The following applications are at the user's disposal:

Network and call status supervision for help desk and NMC

o Pro-active overview (Network Health Monitoring)

o Real-time call traces

o Off-line call traces on historical data

Performance and QoS Reporting according to ITU-T Q.752/E.422 for NMC and the

quality department:

o Performance measurements for network planning and quality reporting

o On-line network health and status surveillance

o Threshold alarm management

o Alarm management via Q3 or SNMP interface (optional)

NMC network operation and trouble-shooting

o Call tracing

o Protocol analysis

Destination and origin-oriented on-line traffic management

Fraud detection

Inter-carrier accounting

Welcome SMS

Major strengths of the NexusNETVIEW Signaling Surveillance System:

Highly scaleable, modular system architecture built up with standard system hardware

and software components, standard networking interfaces and protocols.

Ready for extended applications such as performance and QoS reporting according to

the recommendations of the Telecommunication Management Forum.

Compact high-performance probes with mass storage for up to 30 days full rollback on

all raw data of the entire SS7 signaling traffic and call detail records (up to 60 days

CDR storage optional).



15/18


White Paper

X.700 Manager/Agent model for maximum performance over LAN/WAN and for X.733

alarm management via the optional Q3 alarm interface. SNMP integrations are alsosupported.

Ready for future applications such as VoIP QoS testing, connectionless traffic

accounting and billing, UMTS support and configuration management.

To learn more about NexusNETVIEW, please visit: http://www.NexusNETVIEW.com



16/18


White Paper

Abbreviations

BSS Base Station Subsystem

CDR Call Data Record

GERAN GSM EDGE Radio Access Network

GPRS General Packet Radio Service

GSM Global System for Mobile Communication

HLR Home Location Register

IGP Interior Gateway Protocol

IMSI International Mobile Subscriber IdentityIP Internet Protocol

LAN Local Area Network

MAP Mobile Application Part

MSC/VLR Mobile Switching Center / Visitor Location Register

MSIDN Mobile Subscriber ISDN Number

MSU Message Signaling Unit

NMC Network Management Center

OSS Operations Support System

PLMN Public Land Mobile NetworkPSTN Public Switched Telecom Network

QoS Quality of Service

SCCP Signaling Connection Control Part

SMS Short Message Service

SMS-C SMS Center

SNMP Simple Network Management Protocol

SS7 Signaling System Number 7

STP Signaling Transfer Point

TCAP Transaction Capability Application PartTCP/IP Transmission Control Protocol / Internet Protocol

UMTS Universal Mobile Telecommunications System

VoIP Voice over IP

WAN Wide Area Network



17/18


White Paper

About Nexus Telecom

Founded in 1994, Nexus Telecom (www.nexustelecom.com) is a privately-held company with

headquarters in Zurich, Switzerland and a North American subsidiary in Ottawa, Canada.

With over 200 employees, Nexus Telecom is a major OSS/BSS vendor delivering

sophisticated state-of-the-art telecom management solutions to 2G, 3G, NGN and VoIP

service providers and network operators worldwide.

Nexus Telecom specializes in Service Assurance, Revenue Assurance and Network/Service

Testing solutions, supporting the most recently developed technologies and standards.Nexus Telecom's fast time-to-market strategy is to gain early in-depth know-how about

upcoming network technologies through strong development partnerships with leading

network manufacturers such as Siemens, Lucent, Nortel, Nokia, and Ericsson, to name a

few.

With solutions deployed in over 100 countries, Nexus Telecom's

installed customer base spans the globe, assuring service quality

and revenue streams for many of the world's best-known telecom

operators. For small and large service providers alike, including theworld's largest GSM/UMTS network operated by T-Mobile, the

highly scalable and modular E2E solutions from Nexus Telecom

maximize the service provider's competitive edge through excellent

ROI, quick and smooth launch of new services, and greatly increased end-customer

satisfaction.

Nexus TelecomZurich Headquarters

Nexus Telecom is certified according to the ISO 9001 Quality and Management Standards.



18/18

Nexus Telecom AG, CH-8048 Zurich, Switzerland

This document and all the information contained herein is subject to change without notice

and should not be construed as a commitment by Nexus Telecom. Although we believe the

contents of this document to be accurate, Nexus Telecom assumes no responsibility for any

errors that may occur in this document.

Nexus Telecom, and all Nexus Logos are trademarks of Nexus Telecom AG.

All other trademarks are acknowledged and are the property of their respective owners.

Visit our website at www.nexustelecom.com

Nexus Telecom AGSystem Solutions

Nexus Telecom AGWireless Network Systems

Nexus Telecom (Americas) Inc.(NA and CALA)

Feldbachstrasse 80

P.O. Box 215

CH-8634 Hombrechtikon

Switzerland

Tel. +41 55 254 5111

Fax +41 55 254 5112

[email protected]

[email protected]

Muertschenstrasse 27

P.O. Box 1413

CH-8048 Zurich

Switzerland

Tel. +41 44 355 6611

Fax +41 44 355 6612

[email protected]

[email protected]

Suite 100

1101 Prince of Wales Drive

Ottawa, Ontario

Canada K2C 3W7

Tel. +1 613 224 2637

Fax +1 613 224 2761

[email protected]

[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

Documents

White Paper SMS Spam Nexus Net View Ed 2.1