WHITE PAPER

SMS SPAM AND FRAUD PREVENTION

Short Message Service (SMS) messages account for approximately 10 percent of a mobile operator’s revenue, according
to research firm IDC. The growing volume of spam can threaten this revenue by provoking subscribers to churn.
Furthermore, some of that spam is sent from fraudulent addresses, causing inaccurate billing for subscribers and
revenue forfeiture for the mobile operator, which cannot bill the sender for the termination fee. To prevent subscriber
churn and protect revenues, mobile operators need a flexible solution for identifying and dropping unwanted SMS
messages.

THE CISCO SMS SPAM AND FRAUD PREVENTION SOLUTION IMPROVES SUBSCRIBER SATISFACTION, HELPS
PREVENT FRAUDULENT BILLING, AND PROTECTS THE MOBILE SERVICE PROVIDER’S SIGNALING NETWORK
FROM FLOODING.

EXECUTIVE SUMMARY
SMS has become the next frontier for direct marketers, drawn to a potential market of 1.5 billion mobile services subscribers. In Europe, 18
percent of marketing and advertising agencies offer SMS-based marketing (Empower Interactive, May 2004). Forrester Research estimates that
140 million European subscribers received SMS ads in 2004 and that 62 percent of European direct marketers will include SMS in their
marketing campaigns (Forrester, March 2004). Mobile operator networks are experiencing the impact: mobile marketing messages represent
approximately 10 percent of network traffic other than point-to-point traffic (Empower Interactive, May 2004).

Controlling SMS spam is important to mobile operators for two reasons. One is that spam irritates subscribers, contributing to churn. Giga
Research reports that 60 percent of spam recipients found spam annoying, and 28 percent regarded it as an unacceptable invasion of privacy.
During the first six months of 2003 in the United Kingdom alone, the Independent Committee for the Supervision of Standards of Telephone
Information Services (ICSTIS) managed 3500 SMS-related spam complaints (Giga Research, 2003). The other reason for controlling spam is to
avoid revenue forfeiture. In fraudulent SMS schemes, the sender emulates the identity of another subscriber or that of a valid SMS center, which
relays and manages short messages. When this occurs the mobile operator receives no termination fee for sending the message. If the sender
spoofs a subscriber address, resulting in unwarranted charges on the subscriber’s monthly bill, subscriber satisfaction plummets. Furthermore,
high volumes of fraudulent SMS can degrade the performance of the signaling network, and in extreme cases bring it down.

Cisco Systems® offers a proven solution to these problems, called the Cisco® SMS Spam and Fraud Prevention solution. Mobile operators
deploy it on their signaling network, where it intercepts SMS messages, applies filters to identify spam, and drops offending messages.
Uniquely, the solution can identify likely spam messages as they are being sent, based on repetitive content and volume, and can temporarily
apply rules to block this traffic until a human operator can intervene.

The Cisco SMS Spam and Fraud Prevention solution is part of Cisco IP Transfer Point, a solution for transporting Signaling System 7 (SS7)
traffic over IP networks. As the leading next-generation signaling platform, the Cisco IP Transfer Point allows service providers to efficiently
transport SS7 traffic by offloading the traffic from the traditional Signaling Transfer Point (STP) network to an SS7 over IP network. The
Cisco IP Transfer Point also positions the mobile operator for enhanced return on investment (ROI) and profits by providing the infrastructure
for IP-enabled service control points (SCPs) and revenue-generating IP services. Entry-level through high-end platforms are available. The
Cisco IP Transfer Point provides enhanced scalability to the network, reduces operating costs, facilitates IP-based application access to SS7
networks, and in many cases adds more sophisticated network management and control than available with traditional SS7 networks.

Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 6
This paper describes the rising threat of spam for mobile operator networks, how the Cisco SMS Spam and Fraud Prevention solution works,
and its business benefits.

BUSINESS RISK OF SMS SPAM AND FRAUD

Types of Spam and Fraudulent SMS

Some bulk SMS messages are sent by legitimate subscribers. The SMS spam originates in the local mobile operator network and the sender pays
the mobile operator a termination fee, generally under a bulk contract. Most senders of this type of spam are other mobile operators, with
retailers trailing far behind in second place, followed by financial firms and manufacturers (Giga Research). The risk of this “legitimate” spam is
subscriber annoyance, which contributes to subscriber churn. Mobile operators can increase subscriber satisfaction and reduce churn by offering
granular SMS spam-prevention services. Other types of SMS messages are fraudulent, sent by individuals who assume a false identity to avoid
paying a termination fee.

Most of these schemes are similar: The subscriber receives a message to call or send a text message to a premium-rate number—for example, to
find out if he or she has won a prize (Figure 1). Children are often specifically targeted. These attacks not only annoy subscribers, they cause
revenue forfeiture for the mobile operator, which cannot bill for message termination. Worse, huge volumes of SMS messages in a short period
of time can take down the signaling network, causing the bearer network to refuse calls and connections. Table 1 summarizes the risks of SMS-
based attacks to mobile operators.

Figure 1
Typical SMS Spam Scheme

Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 2 of 6
Table 1. Types of Fraudulent SMS-Based Schemes and Their Risks

Type of Attack Source Risk to Mobile Operator

Spamming Content provider that has a regular service Home operator can be accused of spam relay by subscribers or by
agreement with the home operator other operators with which the home operator has a roaming
agreement
Flooding Content provider connected to a foreign network’s Home operator incurs relay operator costs and cannot collect
SMS-Center termination fees
Faking Hacker engine that simulates regular SMS-Center Home operator cannot collect termination fees
behavior
Spoofing Pirate engine that simulates mobile devices in a Subscriber whose Mobile Subscriber ISDN (MSISDN) identity is
roaming situation assumed will be unduly charged, leading to serious billing issues

Service Opportunity
Business incentives for deploying an SMS spam and fraud prevention solution include:

• Shielding subscribers from an annoyance that might cause churn

• Protecting young or gullible subscribers from expensive and fraudulent offers

• Protecting the network from the effects of spam-generating viruses, which can include widespread billing errors that annoy subscribers and
require many personnel hours to correct

• Preventing volume spikes that can degrade signaling-network performance and possibly render the bearer network useless

To achieve these goals, mobile operators need a flexible solution that can stop unwanted SMS messages and accept legitimate SMS messages.
The solution needs the intelligence to recognize potential spam in real time and temporarily stop it until the operations staff can confirm that the
messages are, indeed, unwanted spam.

CISCO SMS SPAM AND FRAUD PREVENTION SOLUTION

Real-Time Screening
Cisco offers a next-generation signaling solution that allows mobile operators to shield their subscriber base and internal operations from SMS-
based spamming and other fraudulent activity. The Cisco SMS Spam and Fraud Prevention solution, which resides on the mobile operator’s
signaling network, screens SMS messages in real time. It includes two primary components: the Cisco IP Transfer Point and the Ferma SMS
Anti-Spam Screening (SAS) platform from Ferma, a member of the Cisco Service Provider Solutions Ecosystem Program. The solution works
as follows:

1. The Cisco IP Transfer Point intercepts SMS traffic and routes it to the Ferma SAS platform. Traffic other than SMS is passed along
without interference (Figure 2).

2. The Ferma SAS platform filters the message to see if it matches the mobile operator’s white lists or black lists, which are based on the
sender’s SMS-Center address, keywords, or other parameters.

3. Messages that do not match the black-list filters or that match the white-list filters are passed through to the destination.

4. Messages that match the black-list filters are stopped and not delivered to the destination mobile device. The message sender can
receive either a positive or negative acknowledgement, depending on how transparent the mobile operator wants its service to be,
because sending a negative acknowledgement alerts the sender that the mobile operator has identified the message as spam.

Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 3 of 6
Figure 2
Intercepting and Filtering SMS Messages

Filtering Rules
The mobile operator uses a Web-based interface to define filtering rules that can include:

• White lists of allowed senders.

• Black lists of blocked senders.

• SMS-Center address.

• Time-limited rules that apply for a specified period, such as: All messages coming from a specific SMS-Center will be accepted until the end
of March 2005.

• Quota-based rules, such as: Only 250,000 SMS messages will be accepted from a particular SMS-Center, and the remaining will be blocked.
This type of rule is useful for enforcing SMS termination policies between operators or with content aggregators.

• Originating address.

• Content analysis such as keyword search.

• Heuristic analysis, or looking for repetitive occurrences within a period of time, based on SMS headers and contents.

Heuristic Analysis, or Self-Learning

Unlike other signaling solutions, the Cisco SSFP solution can identify potential spam in real time, even if the message does not match
predefined filters. To accomplish real-time spam detection, the Ferma SAS platform analyzes messages flows to detect repetitive content sent
during a timeframe that the mobile operator specifies. When this occurs, the platform sends an alarm to the operations department, for human
intervention, and can apply a temporary filter while the operator decides how to respond. The alert contains the SMS-Center originating source
as well as the content of the suspect message.

Service Benefits to Mobile Operators

By deploying the Cisco SMS Spam and Fraud Prevention solution, mobile operators:

• Increase subscriber satisfaction and loyalty

• Secure Home Location and Visitor Registers (HLR/VLR)

• Reduce traffic on the Radio Access Network (RAN)

• Help ensure compliance with government laws and regulatory commission requirements

• Differentiate their SMS service to attract roamers

Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 4 of 6
WHY CISCO
The Cisco SMS Spam and Fraud Prevention solution offers unique advantages not available from other spam-filtering solutions.

Economics That Support High-Volume Messaging Applications

A typical Cisco ITP deployment costs less than half of traditional, time-division multiplexing (TDM)-based signaling transfer point (STP)
solutions, and generates ongoing cost savings of 75 to 80 percent because of the cost advantages of IP, which include lower capital expense and
faster introduction of new applications and services. Operational expense drops, as well, because the mobile operator can eliminate leased lines
and reduce software maintenance and upgrade costs. This dramatic shift in economics enables more bursty messaging applications, such as
event televoting, a new source of revenue used for the Big Brother telecast in the United Kingdom and American Idol in the United States.
These events require infrastructure that reliably and cost-effectively manage the sudden and high burst of traffic created by the participation of
nearly 10 percent of an operator’s subscriber base. The Cisco ITP meets these requirements, accelerating return on investment (ROI) from years
to months.

High Availability for SMS

The high capacity of the Cisco ITP helps ensure availability for general SMS, which provides the highest revenue-per-bit of any service in the
mobile operator’s portfolio. Providing reliable service to subscribers strengthens subscriber loyalty and helps mitigate churn.

Proven Performance
In use by more than 50 mobile operators worldwide, the Cisco ITP commands more than 35 percent market share for SS7-over-IP signaling.
Mobile operators can be confident about deploying a solution that builds on the Cisco core competency in high-performance, highly available
IP routing as well as its expertise in building large-scale, carrier-class, packet networks.

Comprehensive Programs
Through Cisco Advanced Services, mobile operators gain access to certified experts’ in-depth technical knowledge, specialized tools and
methodologies, industry-leading research labs, and a network of certified partners to help ensure the delivery of high-quality mobile wireless
services. Cisco consultants and engineers help minimize the risk to valuable business assets by working with the mobile operator to plan,
design, implement, operate, and optimize mobile wireless networking solutions. Contact your Cisco representative to find out more about how
Cisco Advanced Services experts can help improve staff productivity, and help reduce the total cost of ownership for your network.

CONCLUSION
As SMS continues to grow in popularity, the need for an effective SMS spam and fraud prevention solution is escalating. With its flexible rules
and self-learning capabilities, the Cisco SMS Spam and Fraud Prevention solution puts the mobile operator and, ultimately, the subscriber in
control of which SMS messages to allow or drop.

For more information on SMS spam and fraud prevention, visit: www.cisco.com/go/mobile

For more information on the Cisco IP Transfer Point, visit: http://www.cisco.com/en/US/products/sw/wirelssw/ps1862/index.html

Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 5 of 6
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower
USA 1101 CH Amsterdam USA Singapore 068912
www.cisco.com The Netherlands www.cisco.com www.cisco.com
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799
Fax: 408 526-4100 Fax: 31 0 20 357 1100

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica
Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR
Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia
Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of
Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R) RK/LW8095 03/05

Printed in the USA Cisco Systems, Inc.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 6 of 6