Blocking of SMS Spam and Fraud

White Paper

Document: Issue date: Author:

WPSMSWBV2.1 31MAY2004 Walter Buehler Senior Product Manager

Issued by:

Nexus Telecom AG, Switzerland

We work to improve your network

Blocking of SMS Spam and Fraud White Paper

Abstract
The problem of SMS Spam and fraud is growing fast and is starting to jeopardize mobile messaging, a very lucrative market for wireless network operators. This fact is emphasized by different publications; some state SMS Spam is one of the biggest threats to the revenue potential of messaging services. This White Paper describes several fraud and spamming cases and what can be done against them.

Nexus Telecom, Switzerland

May 2004

Page 2 of 18

Blocking of SMS Spam and Fraud White Paper

Table of Contents
ABSTRACT ..............................................................................................................................2 TABLE OF CONTENTS ...........................................................................................................3 INTRODUCTION......................................................................................................................4 Motivation........................................................................................................................4 The Technology behind SMS..........................................................................................5 THE THREE CASES................................................................................................................6 SMS Spamming/Flooding Case ......................................................................................6
Impact on the network operator .......................................................................................... 6 How to avoid it..................................................................................................................... 7

The Faked SMS Case.....................................................................................................8

Impact on the network operator .......................................................................................... 8 How to avoid it..................................................................................................................... 9

SMS Spoofing Case......................................................................................................10

Impact on the network operator ........................................................................................ 10 How to avoid it................................................................................................................... 11

SOLUTION DESCRIPTION ...................................................................................................12 SMS Spam and Fraud Detection Application................................................................12

For the SMS Spamming/Flooding Case ........................................................................... 13 For the Faked SMS Case ................................................................................................. 13 SMS Spoofing Case.......................................................................................................... 13

About NexusNETVIEW Signaling Surveillance System................................................14 ABBREVIATIONS ..................................................................................................................16 ABOUT NEXUS TELECOM ...................................................................................................17

Nexus Telecom, Switzerland

May 2004

Page 3 of 18

Blocking of SMS Spam and Fraud White Paper

Introduction
Motivation
Network operators have a high interest in avoiding SMS Spam. Not only does SMS Spam by nature generate high traffic, potential flooding network elements or the whole network, but end-users are rather helpless in controlling the SMS Spam problem. Unlike e-mail, "spammed" end-users cannot take any counter-measures against the increasing number of unwanted SMS. Thus it is up to the network operator to help block unsolicited SMS. And if the operator cannot do so he has to expect churn. Another closely related issue to SMS Spam is SMS fraud, which has a direct impact on the revenue stream of the network operator.

Nexus Telecom, Switzerland

May 2004

Page 4 of 18

Blocking of SMS Spam and Fraud White Paper

The Technology behind SMS

Figure 1 shows two GSM networks and the components relevant for delivering an SMS from end-user A to end-user B. In general, the following message flow exists: 1. SMS is sent via MSC/VLR to SMS-C in PLMN A. This is a MAP "Forward SM" message, including the source MSISDN A and the destination MSISDN B. 2. Since the end-user B is in the PLMN B, the SMS-C has to get the routing information from the HLR of the PLMN B. To do so, it sends a MAP "Send Routing Info for SM" with the MSISDN B number. 3. The HLR then sends back the IMSI of end-user B and its VLR. 4. The SMS-C delivers the SMS as a MAP message via the MSC/VLR to the end-user B.

Figure 1: Network Layout and SMS-related Message Flow

Nexus Telecom, Switzerland

May 2004

Page 5 of 18

Blocking of SMS Spam and Fraud White Paper

The Three Cases

SMS Spamming/Flooding Case
From the viewpoint of an end-user any single SMS could be an unwanted and annoying SMS Spam. In single instances, no system can protect itself. But normally SMS Spamming is not just a single event message to one subscriber, but a large amount of SMS to multiple subscribers. In the extreme these multiple SMS pose the danger of overloading the network. This is called SMS Flooding and is defined as a massive load of SMS to one or several destinations, independent of whether these SMS are valid or invalid.

Figure 2: SMS Spam/Flooding Case

Impact on the network operator

SMS Spamming is one reason for churn. Hence why for an operator blocking SMS Spam becomes more and more a competitive advantage.

Nexus Telecom, Switzerland

May 2004

Page 6 of 18

Blocking of SMS Spam and Fraud White Paper

SMS Flooding can temporarily overload parts of the wireless network and hinder delivery of other SMS. In rare cases, it can block other network components and cause outages.

How to avoid it
SMS Flooding can be detected by supervising SMS traffic and checking by source, and in rarer cases by destination, to determine it is above an expected level. If this is so, then the source address should be blocked. Another clear identification of SMS Spam and Flooding is the fact that the high load of traffic is generated by SMS with the same content. Therefore it is recommended to check not only for abnormal traffic profiles from a certain source or destination, but also for repetitive content.

Nexus Telecom, Switzerland

May 2004

Page 7 of 18

Blocking of SMS Spam and Fraud White Paper

The Faked SMS Case

The Faked SMS have manipulated SCCP or MAP addresses. The source address of the SMS pretends that these are sent from another network (in Figure 3 from PLMN A). To do so, it has to know the end-users' IMSI, otherwise an HLR interaction has to take place. In this case the Fake SMS Source has to use his own real SCCP and MAP SMS-C address. If the VLR is unknown, the source has to send the SMS to every VLR in the network, which together with the false IMSI addresses can generate a heavy load in the network equal to SMS Flooding.

Figure 3: Faked SMS Case

Impact on the network operator

Faked SMS lead to wrong interconnection billing. For example, if the SCCP and MAP addresses are wrong, PLMN B will not be paid for the delivery of these SMS. And, of course, Faked SMS may be the reason for SMS Flooding with overload in the network.
Nexus Telecom, Switzerland May 2004 Page 8 of 18

Blocking of SMS Spam and Fraud White Paper

How to avoid it
The first defense line is at the SS7 carrier, which should screen all direct SS7 links to determine that SCCP addresses match the connected operators. If the SCCP address does not match, the message is fake and has to be deleted. The second defense line is at the operator of the PLMN B. It can detect: Transaction address mismatch "Unusual" originating SCCP addresses Unknown IMSI messages ("unknown subscriber") Unexpected high number of messages from an often unknown source, possibly with the same content.

If this is the case then the source address should be blocked. The third defense line is at the operator of the PLMN A, which should match the SMS sent and the TCAP responses from the VLR. If there is a clear mismatch, it is known that somebody is misusing his identity, although the operator cannot influence the delivery of the faked SMS as it occurs.

Nexus Telecom, Switzerland

May 2004

Page 9 of 18

Blocking of SMS Spam and Fraud White Paper

SMS Spoofing Case

The SMS sent to the SMS-C have a manipulated originating MSISDN A number. One example is shown in Figure 4, where the "SMS Spoofing Source" simulates a roaming enduser from PLMN A, sending an SMS to a foreign end-user in PLMN B. The "Spoofing SMS Source" is a specific system with an SS7 application. It uses real or wrong MSISDN A numbers, originating VLR and / or SCCP addresses.

Figure 4: SMS Spoofing Case

Impact on the network operator

The main issue for the operator of PLMN A is the revenue loss due to the fact that the roaming end-user can not be billed when a wrong MSISDN number is used and has to pay the operator of the PLMN B for the delivery of the SMS. SMS Flooding could be another problem the network operator faces.

Nexus Telecom, Switzerland

May 2004

Page 10 of 18

Blocking of SMS Spam and Fraud White Paper

How to avoid it
The MSISDN number should be checked to determine that it is a real one and the VLR location should be checked with entry in the HLR. If one or both are identified as wrong, the message should not be sent. For an independent monitoring system, SMS Spoofing is a typical fraud case. It checks for high usage MSISDN and creates an alarm if the usage is above a certain limit.

Nexus Telecom, Switzerland

May 2004

Page 11 of 18

Blocking of SMS Spam and Fraud White Paper

Solution Description
SMS Spam and Fraud Detection Application
The NexusNETVIEW Signaling Surveillance System meets all major technical and operational requirements in PSTN and GSM networks. Its Fraud Detection application is used to detect fraudulent behavior of end-users. It is designed for a very high numbers of calls. This is a solid base for the SMS Spam and Fraud Detection application, because this type of fraud requires the highest performance.

Figure 5: NexusNETVIEW Configuration

For Blocking SMS Spam & Fraud, the NexusNETVIEW monitors two points in the wireless network: International MAP gateway MAP interface

Nexus Telecom, Switzerland

May 2004

Page 12 of 18

Blocking of SMS Spam and Fraud White Paper

NexusNETVIEW detects different SMS SPAM and Fraud patterns and generates an on-line alarm to let the network act accordingly.

For the SMS Spamming/Flooding Case

NexusNETVIEW detects SMS Spamming/Flooding by supervising the SMS traffic and checking for a high number of SMS from or to foreign SMS-C in short time intervals. NexusNETVIEW holds profiles per source/destination and creates an alarm event in case a user-defined threshold level is reached. In addition, the system can check SMS on repetitive content from the same source and feed it to the threshold alarm manager. If anyone threshold is met NexusNETVIEW generates an alarm with information about the SMS source address that has to be blocked.

For the Faked SMS Case

First, NexusNETVIEW can be used by an SS7 carrier. The system screens all SS7 links to determine that the SCCP addresses match with the connected operators. If the SCCP address in a message does not match, it is faked and has to be deleted. NexusNETVIEW is able to generate an alarm according to SCCP address mismatch. NexusNETVIEW monitors MAP and TCAP messages at the border of the network of a wireless network operator. Therefore it can detect: Transaction address mismatch is an indication for wrong SCCP addresses; "Unusual" originating SCCP addresses using the profiling mechanism; Unknown IMSI messages ("unknown subscriber"); and, An unexpected high number of messages from an often unknown source, possibly with the same content.

If detected, NexusNETVIEW generates an alarm with the information about the source address that should be blocked.

SMS Spoofing Case

NexusNETVIEW will check for high usage of MSISDN numbers in SMS. This is an indication so a SMS Spam or spoofing. It creates an alarm if the usage is above a certain limit.

Nexus Telecom, Switzerland

May 2004

Page 13 of 18

Blocking of SMS Spam and Fraud White Paper

About NexusNETVIEW Signaling Surveillance System

NexusNETVIEW is the most powerful signaling surveillance system for GSM, GPRS, UMTS and VoIP available today. On-site data acquisition devices collect the raw signaling and user data. The acquired and pre-processed information is transferred to the central application server located in the NMC. Local and remote users can access and make use of the various applications according to their specific tasks. The following applications are at the user's disposal: Network and call status supervision for help desk and NMC o o o Pro-active overview (Network Health Monitoring) Real-time call traces Off-line call traces on historical data

Performance and QoS Reporting according to ITU-T Q.752/E.422 for NMC and the quality department: o o o o o o Performance measurements for network planning and quality reporting On-line network health and status surveillance Threshold alarm management Alarm management via Q3 or SNMP interface (optional) Call tracing Protocol analysis

NMC network operation and trouble-shooting

Destination and origin-oriented on-line traffic management Fraud detection Inter-carrier accounting Welcome SMS

Major strengths of the NexusNETVIEW Signaling Surveillance System: Highly scaleable, modular system architecture built up with standard system hardware and software components, standard networking interfaces and protocols. Ready for extended applications such as performance and QoS reporting according to the recommendations of the Telecommunication Management Forum. Compact high-performance probes with mass storage for up to 30 days full rollback on all raw data of the entire SS7 signaling traffic and call detail records (up to 60 days CDR storage optional).

Nexus Telecom, Switzerland

May 2004

Page 14 of 18

Blocking of SMS Spam and Fraud White Paper

X.700 Manager/Agent model for maximum performance over LAN/WAN and for X.733 alarm management via the optional Q3 alarm interface. SNMP integrations are also supported. Ready for future applications such as VoIP QoS testing, connectionless traffic accounting and billing, UMTS support and configuration management.

To learn more about NexusNETVIEW, please visit: http://www.NexusNETVIEW.com

Nexus Telecom, Switzerland

May 2004

Page 15 of 18

Blocking of SMS Spam and Fraud White Paper

Abbreviations
BSS CDR GERAN GPRS GSM HLR IGP IMSI IP LAN MAP MSC/VLR MSIDN MSU NMC OSS PLMN PSTN QoS SCCP SMS SMS-C SNMP SS7 STP TCAP TCP/IP UMTS VoIP WAN Base Station Subsystem Call Data Record GSM EDGE Radio Access Network General Packet Radio Service Global System for Mobile Communication Home Location Register Interior Gateway Protocol International Mobile Subscriber Identity Internet Protocol Local Area Network Mobile Application Part Mobile Switching Center / Visitor Location Register Mobile Subscriber ISDN Number Message Signaling Unit Network Management Center Operations Support System Public Land Mobile Network Public Switched Telecom Network Quality of Service Signaling Connection Control Part Short Message Service SMS Center Simple Network Management Protocol Signaling System Number 7 Signaling Transfer Point Transaction Capability Application Part Transmission Control Protocol / Internet Protocol Universal Mobile Telecommunications System Voice over IP Wide Area Network

Nexus Telecom, Switzerland

May 2004

Page 16 of 18

Blocking of SMS Spam and Fraud White Paper

About Nexus Telecom

Founded in 1994, Nexus Telecom (www.nexustelecom.com) is a privately-held company with headquarters in Zurich, Switzerland and a North American subsidiary in Ottawa, Canada. With over 200 employees, Nexus Telecom is a major OSS/BSS vendor delivering sophisticated state-of-the-art telecom management solutions to 2G, 3G, NGN and VoIP service providers and network operators worldwide. Nexus Telecom specializes in Service Assurance, Revenue Assurance and Network/Service Testing solutions, supporting the most recently developed technologies and standards. Nexus Telecom's fast time-to-market strategy is to gain early in-depth know-how about upcoming network technologies through strong development partnerships with leading network manufacturers such as Siemens, Lucent, Nortel, Nokia, and Ericsson, to name a few. With solutions deployed in over 100 countries, Nexus Telecom's installed customer base spans the globe, assuring service quality and revenue streams for many of the world's best-known telecom operators. For small and large service providers alike, including the world's largest GSM/UMTS network operated by T-Mobile, the
Nexus Telecom Zurich Headquarters

highly scalable and modular E2E solutions from Nexus Telecom maximize the service provider's competitive edge through excellent

ROI, quick and smooth launch of new services, and greatly increased end-customer satisfaction. Nexus Telecom is certified according to the ISO 9001 Quality and Management Standards.

Nexus Telecom, Switzerland

May 2004

Page 17 of 18

 Nexus Telecom AG, CH-8048 Zurich, Switzerland This document and all the information contained herein is subject to change without notice and should not be construed as a commitment by Nexus Telecom. Although we believe the contents of this document to be accurate, Nexus Telecom assumes no responsibility for any errors that may occur in this document.

Nexus Telecom, and all Nexus Logos are trademarks of Nexus Telecom AG. All other trademarks are acknowledged and are the property of their respective owners.

Visit our website at www.nexustelecom.com Nexus Telecom AG System Solutions

Feldbachstrasse 80 P.O. Box 215 Switzerland Tel. Fax +41 55 254 5111 +41 55 254 5112

Nexus Telecom AG Wireless Network Systems

Muertschenstrasse 27 P.O. Box 1413 CH-8048 Zurich Tel. Fax +41 44 355 6611 +41 44 355 6612

Nexus Telecom (Americas) Inc. (NA and CALA)

Suite 100 Ottawa, Ontario Canada K2C 3W7 Tel. +1 613 224 2637 +1 613 224 2761 1101 Prince of Wales Drive Fax

CH-8634 Hombrechtikon sales@nexustelecom.com

sales@nexustelecom.com help@nexustelecom.com

americas@nexustelecom.com support@nexustelecom.com

support@nexustelecom.com Switzerland