Spam over SIP. Sebastian Domancich. Helsinki University of Technology, Finland

Transcription

1 Spam over SIP Sebastian Domancich Helsinki University of Technology, Finland Abstract. This work presents an analysis of spam over SIP-based protocols. Firstly, we depict the different types of spam over SIP. Thereafter, we analyze a set of anti-spam techniques, considering their convenience in each protocol. Finally, we propose a framework for dealing with spam over SIP, which can be very useful in order to diminish the overall SIP spam in Internet. KEYWORDS: SIP, spam, SPIT, SPIM, SPPP, VoIP, Framework 1 Introduction Spam, which can be described as the series of bulk, unsolicited messages, started as an ingenious marketing tool in the 90s, and nowadays comprises around 90% of all inbound s, according to a recent survey carried out by the security vendor Symantec [15]. Spam gave rise to a more harmful way of fraud called Phishing, where a victim is deceived into accessing a forged web site and provides an attacker with sensitive data, like passwords and PIN codes from credit cards. These two annoying activities have became ubiquitous in systems. In the last years, communication systems based on Session Initiation Protocol (SIP) [11] have became very popular. Not only voice can be used to communicate between users, but also video, instant messages and presence. Because of that, it is expectable that spammers may try to use this technology for their benefit in the near future, possibly endangering the adoption of SIP based systems by the Internet community. Considerable research has been carried out in this field. Quinten [7] has analyzed the possible attacks to SIP, but only for Voice over IP (VoIP) systems. Sperotto [14] has described a comprehensive method for dealing with spam over IP, but focusing merely on a specific solution at the network level. In this paper, we present a wide overview of different methods to deal with spam over all the protocols that utilize SIP to carry out the communication. The remainder of the paper is organized as follows. Sec. 2 describes the different types of spam that can be identified based on the uses of SIP. Sec. 3 depicts the possible solutions for spam in SIP and its applicability to each SIPbased technology. Sec. 4 discusses a proposed framework to deal with unsolicited bulk messages. Sec. 5 depicts an analysis of the applicability of the introduced techniques. Finally, Sec. 6 provides the conclusion of the presented work, and proposes future directions of research.

2 2 Background In this section we introduce the different types of spam that can occur when SIP is used to start a multimedia session. In addition, we explain the characteristics that make SIP an easy target for spammers. 2.1 Types of Spam over SIP SIP can be utilized as the basis to establish different multimedia services like voice, instant messaging, video and presence. Because of that, several types of spam based on SIP can be identified [10]. Call Spam (SPIT): Call Spam, also known as Spam over IP Telephony (SPIT), is defined as a series of bulk, unsolicited attempts to initiate a session, for example, by sending INVITE requests, with the purpose of starting up a VoIP call [10]. It is considered to be analogous to popular telemarketing practices in the traditional public circuit-switched network (PSTN). IM Spam (SPIM): IM Spam, also known as Spam Over Instant Messaging (SPIM), is defined as a series of bulk, unsolicited series of instant messages. This practice shares many characteristics with traditional spam, but as the communication is carried out in real time, the annoyance caused is considered to be more noticeable. The most direct way of sending SPIM consists in making use of the MESSAGE method of SIP. However, it is worth noting that any means of sending unsolicited messages is considered SPIM. For example, there are other methods that make it possible for a spammer to send text to the user s display, like the INVITE request. According to the standard, it is even possible to send an INVITE request with HTML body embedded in it [10]. Presence Spam (SPPP): Presence spam, also known as Spam over Presence Protocol (SPPP), is defined as a series of bulk, unsolicited presence requests, with the objective of pypassing whitelisting mechanisms. An example of this kind of spam involves the mass sending of SUBSCRIBE requests to a victim. SPPP is similar to the traditional IM spam, and it can be dealt with in an analogous way, as explained in Sec Plausibility of Attacks in SIP-based Protocols SIP is a very flexible protocol that allows different types of communication between two or more parties. Unfortunately, this flexibility can also be used by spammers, in order to maximize their profits with this technology. [12] and[10] analyze the likelihood of success of Spam practices in the different SIP technologies introduced in Sec. 2.1.

3 Call Spam: An interesting comparison can be depicted among the cost and annoyance caused by telemarketing calls through the regular PSTN network, spam and SIP spam. Telemarketing calls are a well known practice nowadays. These kind of calls are considered more annoying than spam, but the frequency of occurrence is much lower than spam, because of the costs that the telemarketer has to undergo and the local legislation, that may be restrictive regarding this activity. In general terms, the equipment necessary to carry out telemarketing calls is expensive, and the per call price is considerable as well. However both characteristics that make telemarketing calls a not widely deployed advertisement scheme, are drastically reduced in SIP. For example, a system for making several unsolicited bulk calls at the same time is very easy to deploy, as opposed to regular telemarketing, where specific equipment has to be purchased. In addition, recent studies conclude that the per call price of a SPIT call is 3 to 4 orders of magnitude cheaper than traditional telemarketers calls, if we consider call attempt rate, and the number of simultaneous successful calls [8]. It is worth noting that the price reduction is even more noticeable while making international calls. These scheme is not feasible in traditional telemarketing because of the prohibitive cost per call. However, SIP virtually erases these kinds of limits, allowing anyone to call to any address (called URI in SIP terminology). In case that the SIP call ends in the Public Switched Telephone Network (PSTN), the per call price is similar to traditional telemarketing, but as already mentioned, the set-up price is considerably smaller. A final comparison can be made among spam, SIP spam and telemarketing. On the one hand, it is well known that spam incurs in substantially low costs compared to regular telemarketing calls, as already discussed. On the other side, spam is less annoying than telemarketing, not only because of the non-real time nature of the communication, but also because of the wide availability of spam filtering techniques. However, the characteristics of SIP make it extremely attractive for call spammers. Firstly, it shares the low cost and ease of deployment of spam. In addition, it shares the intrusive behavior of telemarketing techniques, because the phone actually rings for every spam message. And to make it even more obtrusive, because of the lack of the global scope of SIP, the spam calls could eventually be received at unacceptable times during night [6]. IM Spam: IM Spam (SPIM) has similar costs to the ones associated with spam generation. Nonetheless, due to the real time nature of Instant Messaging, it can be considered as very intrusive, because instant messages will appear suddenly to the user. Fortunately, the wide extension of whitelists can protect users from this kind of spam. So eventually, the importance and harm caused by IM spam over SIP will be shifted to Presence spam, as explained next. Presence Spam: Presence spam, which was defined as the unsolicited creation of SUBSCRIBE messages, can grow considerably as long as SIP services adopt

4 the usage of whitelists. SIP protocol provides a package named watcherinfo, that allows users to learn the identity of a contact before making an authorization decision[9]. However, a spammer can make use of this mechanism in order to display spam to a client. This action can be carried out by sending the spam message in the SUBSCRIBE request, for example, by stating the originating client address as cheap.university.diplomas@contact-webpage.com 2.3 A Strong Identity Mechanism Many of the anti-spam procedures that will be explained in Sec. 3 become useless if the identity of the sender can be easily forged. In order for them to provide real protection against spam over SIP, a strong identity mechanism needs to be implemented across all the traversed domains by the SIP communication. The procedure involves two mandatory steps [10]. First of all, each user is authenticated by the domain to which she belongs. As part of the SIP specification, SIP contains an HTTP hashing authentication mechanism with this objective, that is widely deployed in current implementations. In order to make the authentication strong enough, a secure handshake needs to be carried out between User Agent (UA) and server, and this is achieved by means of a persistent TLS connection to the server. RFC 3261 defines a two way authentication mechanism between a UA and a server. Although it is not widely used nowadays, it is likely that it will be taken into account in future implementations, as soon as spam in SIP becomes a more relevant issue. The second step needed to obtain a strong identity scheme involves interdomain authentication. In order to achieve this, the local server (that has already authenticated the user), when it needs to send a message to a user from another domain, includes the hash that corresponds to the identity of the sender. This mechanism, called SIP Identity Mechanism is explained in [5]. 3 Anti-SPAM Solutions in SIP In this section we introduce different techniques that can be used to deal with spam over SIP. Some of the proposed solutions were created to handle spam over , and their effectiveness in the SIP scenario is analyzed. In addition, other techniques specifically created for SIP are considered. In all the cases, we examine the applicability of these technologies for each kind of SIP communication (voice, instant messaging or presence). Anti-spam solutions can be sorted into different categories, according to their nature: content filtering technologies, identity based solutions, interactive methods and preventive solutions [12]. Fig. 1 shows this taxonomy, and each of the different solutions is explained in the upcoming sections. 3.1 Content Filtering Content filtering is the most popular way of dealing with spam. A spam filter analyzes the content of the message, and based on a set of rules, it can

5 Fig. 1. Taxonomy of anti-spam solutions identify whether a message is spam or not. Unfortunately, this technique cannot be relied as a way of dealing with voice spam, for two reasons: Firstly, in case the call is carried out in real time, when the spam filter analyzes the call, it is already too late, because the user has already picked up. Secondly, the content of a voice message is much more complex to analyze than a regular text message, requiring more resources like CPU and memory. It is expected that when this technology is mature enough, it will be a useful way of dealing with voice calls routed to the voic box. This technique could eventually be used to teach the software, and use the tool with a preventive approach, in conjunction with other techniques. Research is being carried out in this direction [3]. 3.2 Identity Based Anti-Spam Procedures In this kind of anti-spam solutions, the identity of the sender is checked, and the communication is either blocked or accepted, based on a set of policies. Three different types of identity based mechanisms exist: blacklists, whitelists and reputation based technologies. Identity based solutions have proved to be very helpful in instant messaging services, where a central authority is in charge of identifying users. However, it is not a good enough solution on its own for systems where identification is decentralized, like or SIP based communication systems. In those cases, identities can be easily forged, making the entire method useless. In order to make this approach useful for all kinds of SIP communication, a strong identity procedure needs to be carried out. Strong identity is one of the components of the framework for detecting spam over SIP, as explained in Sec. 4. Blacklists: A blacklist is an access control mechanism in which all senders are accepted, except from the ones that belong to the black list. This mechanism is one of the most common methods for dealing with spam. However, this approach has some limitations [4]. Firstly, addresses and SIP addresses

6 (URIs) are easy to forge. The deployment of a secure identity mechanism can help in this matter. Secondly, spammers can easily create new or SIP addresses, diminishing the effectiveness of this strategy. Whitelists: A whitelist is an access control mechanism that consists of a list of contacts that are allowed to communicate with the list owner. The default behavior for senders not in the list is to block the incoming messages. This method is an effective way of dealing with spam in Instant Messaging systems, where there is a centralized authentication scheme. Whitelists are vulnerable to address spoofing [10], but the implementation of a strong identity mechanism can help regarding this issue. Also, there must be a safe mechanism to solve the introductory problem, as discussed in Sec. 4. To sum up, a whitelist mechanism can be an important piece in a SIP antispam framework for all types of communication over SIP. However some obstacles like a way to introduce new contacts and the risk of identity theft must be handled. Reputation Systems: In a reputation system the trustworthiness of a sender is based on a reputation score, that can help a receiver to make a decision whether to add a user to a contacts list or not. This kind of procedure has proved to be successful in some centralized message based systems, like auction sites and other sites based on interactivity between users. The reputation is calculated based on the opinion of other users. In order for this scheme to succeed there is a need of a centralized resource system. This system would handle a strong identity mechanism, and also would be in charge of the reputation related tasks. Reputation systems, when applied to SIP communication, evidence similar drawbacks as blacklists. In addition to the need of a strong identity mechanism, as SIP identities are very easy to acquire, a spammer that obtains a negative reputation, would merely obtain a new ID. 3.3 Interactive Methods The interactive spam solutions are a set of procedures whose objective is to make spammers activity more complex, by adding some mandatory tasks before sending a message. This activities range from solving quizzes that only a human would be able to, paying money to send messages or having to resend a message after a specified period of time. Although these measures may sound proper to fight against many kinds of spam, in their purest way they are not considered a definite solution. Firstly, because by adding a delay time or a puzzle to be solved before a call is started up, not only a spammer will have a harder time to succeed on sending messages, but also the total amount of legal users will suffer from the same annoyance when trying to make legitimate calls. Secondly, the need for interaction in order to place a call will prevent automated spam messages from being carried out, but it will also prevent legitimate prerecorded calls to be preformed. Last but

7 Fig. 2. A modern CAPTCHA not least, it is worth noting that all the interactive solutions require that SIP User Agents (UA) implement the specified extensions, in order for the solution to be viable. Careful policy decisions have to be made for the cases where the SIP UA do not support the required extensions; otherwise big groups of legal users would be prevented from communicating with users that implement and require those extensions. Challenge-Response: Challenge-response approaches aim at imposing a test to the sender, that needs to be solved in order for her message to be correctly delivered. The most common challenge-response mechanism currently in use is the Turing test. A Turing test consists of a human asking a set of questions to another human and to a computer, with the objective of figuring out which one is the computer and which one is the human [16]. A CAPCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is based on the idea of Turing tests, but the test is carried out by a program instead of a human. This technique is widely used in Internet, for example to prevent comments spam in blogs, or to protect addresses from scrappers. Fig. 2 shows a modern CAPTCHA, where a line is added in order to make mechanical solving more difficult. In the context of SIP communication, this technique can be utilized in conjunction with whitelisting: if the user answers the CAPTCHA correctly, it is placed in the contacts list. This model has the following issues: 1. In order to make it work with Voice over SIP to avoid SPIT, Turing tests need to be adapted to voice. This task is currently an objective of research in the academia [13]. 2. Cheap labor can be used to solve the CAPTCHAs, as well as Internet users can be deceived to solve CAPTCHAs in order to access a specific content [10]. Consent-Based Methods: The consent based technique is a complement to the whitelist and blacklist approach, in order to deal with the introductory problem (as discussed in Sec. 4). It works as follows. The caller makes a call to a SIP address. In case the caller is not in the callee contact list, the call is initially rejected, and a request for consent is made to the callee, who can accept the user in its list, or reject access. This kind of system has been successfully deployed in Instant Messaging and Presence scenarios, where there is a centralized identity system and a single

8 administrative domain. Its implementation in SIP IM (to avoid SPIM) and SIP Presence (to avoid SPPP) can be more helpful if a correct authentication is carried out. Some concerns about this approach are: A strong identity mechanism needs to be carried out. Spammers can eventually use SIP URIs that are similar to trustworthy addresses to perform vishing attacks, i.e. obtaining sensitive information from victims via the VoIP services. Spammers can still send unsolicited bulk messages, by adding a message as part of the displayed name by the receiver; for example: university.diploma.without.studying@diploma.com Payment at Risk System: Jennings [12] proposes a payment at risk scheme to mitigate the harm caused by unsolicited communication. The idea is to increase the cost for starting up spam attempts. When a sender wants to establish a communication link with another SIP UA, and the sender does not belong to the recipient s white list, the callee rejects the call, and requests a certain payment in a specific server. The originator needs to connect to the payment server, make the payment, and after that, send the receipt to the callee, included in the SIP REQUEST. After that, the callee decides whether the call is spam or not, and in case of a legal call, it returns the money to the caller. This solution has a number of drawbacks. 1. Secure communication needs to be carried out between the caller, callee and payment server. This requirement clearly adds complexity to the solution. 2. Deciding a suitable price for payments is non-trivial, considering the difference in currency all around the world. If the payment is too expensive, the system will be unviable in poor countries. If the payment is too small, spammers may be willing to pay it in order to deliver their unsolicited messages and calls. 3. This payment system can eventually be abused to commit fraud. For example, a fraudster can advertise a free service, tempting many people to call in. The fraudster would consider all incoming calls as spam and keep the deposited payment. 4. The payment is supposed to be carried out only the first communication attempt with a specific callee. After that, if the caller is not considered as spammer, he will be accepted in the whitelist. Thus, a strong identity mechanism is advisable in this case. 5. Providers charge a cost for every transaction, so even in legal calls, there is a cost to be payed by users to keep the system working. 3.4 Preventive Solutions The previously described solutions have the objective of detecting a spam attempt when a SIP call is already in transit to the destination, or when it is

9 already being processed by the destination s proxy server, or User Agent (SIP phone). In this section we analyze preventive solutions that intend to avert the spam communication before it starts. With this objective in mind, two methods are discussed: address obfuscation and the use of temporary addresses. Address Obfuscation This prevention measure takes into account that spammers collect addresses from public web sites, among other sources, and use those addresses as destination for their unsolicited messages. In order to prevent this, the solution is to hide the addresses (either addresses or SIP URIs) to spam bots, and at the same time, make them available to humans. Some strategies that can be considered with this objective in mind are: Address Inside Images: The address can be included as an image file, to make spam bots job harder. CAPTCHA Based Address: The address is showed after solving a challenge that only humans can solve. Address Distortion: The address is modified in a way that human users can understand it, but a web crawler will capture it incorrectly. For example: myaddressremovethis@domain.com. Temporary Address: Another preventive technique that was created for technologies and can be utilized in the SIP approach is the use of temporary addresses. This idea takes advantage of the fact that URIs, as well as addresses, are usually free or very cheap to obtain. Because of that, a user can create a temporal URI for each service that she subscribes. Whenever spam is received in this SIP account, it can be simply deleted. This approach can be taken to the extreme, and similarly to some anonymity services for , generate one-time-use SIP addresses. 4 Anti-Spam Frameworks for SIP Based on the analysis of the different anti-spam methods from Sec. 3, we can conclude that there is no fool-proof anti-spam mechanism that provides a definite solution to the threat. However, [10] proposes a set of recommendations to mitigate the risk of SIP spam, and it is believed that by putting them into practice altogether, the risk of spam over SIP can be dramatically decreased. The general framework is based on the identity of the caller, in order to classify a communication attempt via SIP as spam or not. It relies on three main ideas, that have to be considered: strong identity, caller classification and caller introduction. Strong Identity: The implementation of an identity authentication mechanism that is difficult to bypass is recommended for many strategies to be considered more useful. In the same way, the current anti-spam framework depends on this assertion.

10 Caller Classification: The second step in the Anti-Spam Framework deals with the way that communication attempts are classified. We can consider each caller as belonging to the group of contacts that we know (either we trust them or not) or callers that we do not know, or callers that we do not know, but are known by other trusted contacts (reputation-based systems). Based on this differentiation, we can apply the identity based anti-spam procedures explained in Sec. 3.2: blacklists, whitelists and reputation lists. However, in order for this technique to be valid, the implementation of a strong identity mechanism is mandatory. Caller Introduction - The Introductory Problem: When the caller is known beforehand, the classification technique can be very helpful. However, when the caller is unknown, we need to provide a way to distinguish if the incoming communication represents spam or not. This concern is known as The introductory Problem. All the interactive techniques described in Sec. 3.3 can be used with this purpose: challenge-response (for prerecorded SPIT, but not for telemarketers), consent-based, and payment at risk (for all kinds of spam). 5 Analysis of the Proposed Countermeasures In this section we present an analysis of the applicability of the previously defined anti-spam techniques. Content-Filtering: The technique of Content-Filtering is not suitable for real time voice over SIP, but it is a useful tool for dealing with spam over IM and over presence. The functionality is analog to filtering, where each received message is analyzed, and eventually considered as spam. In addition, we believe that other technologies based on content-filtering, like fingerprinting [2] can be ported from the approach to the SIP approach. However, this solution may only be usable to deal with SPPP and SPIM. Identity-Based solutions: The identity based solutions explained in the previous sections are an important basis for any implementor of SIP anti-spam solutions. The blacklisting or whitelisting can be extended to consider IP address. However, this filtering is not strictly SIP based (application layer), because it happens in the network layer. There is another analysis that can be made regarding the use of a strong identity mechanism. Throughout the present paper we have mentioned the need for a consistent identity mechanism, mostly for the solutions based on identity. We consider worth mentioning that even in the case where a strong identity mechanism is not possible, the identity-based spam solutions are still valid and useful, as they will still help towards the goal of diminishing the impact of SIP spam in the whole system.

11 Interactive Methods: The aforementioned interactive anti-spam solutions conform the most active area of SIP research nowadays. Taking into account that most of SIP spam is expected to be composed of prerecorded calls, we believe that the challenge response mechanism is of vital importance. [13] deployed an implementation and tested it against a series of spam bots, with positive results. We also believe that the technique of payment at risk is an attractive solution. However, the most prominent projects in this matter, like Microsoft Penny Black project [1] are still in an early implementation state. Therefore, we do not expect it to be deployed for SIP in the foreseeable future. Preventive Solutions: In order to make spammers job harder, it is advisable to follow preventive measures, like the ones discussed in Sec By avoiding the public exposure of SIP addresses, and by using temporary addresses for registration in services that are not completely trustworthy, we diminish the chances that our SIP URI will end up in bulk senders hands. Overall Techniques Success: It is important to mention that the security provided by any anti-spam solution does not guarantee any success after deployment. For example, if an anti-spam technique provides a high level of spam detection, but it adds a considerable complexity to the usage of SIP systems, the technique will most probably be bypassed by most SIP users, rendering it useless. Because of that, we believe that a compromise has to be made between the protection provided by an anti-spam solution (or solution framework), and the convenience of use, to obtain a solution that can be both secure and not intrusive for users. 6 Conclusion The present paper analyzes the imminent spam threat over SIP-based protocols. Firstly, the different types of spam over SIP were depicted. After that, several anti-spam techniques were analyzed, in conjunction with their usability in each protocol. Finally, a general anti-spam framework was recommended, as well as an analysis of the proposed methods. Whereas the focus in this paper was put on different methods that can help to avoid spam over SIP, further work would need to be carried out in practice, in order to measure the impact of the specified techniques in a real life scenario. In this way, SIP implementors will have the right tools to minimize the effects caused by spam in all SIP based protocols.

12 References [1] Penny Black Project. Informational. Available at: /en-us/projects/pennyblack/ (Accessed December 2009). [2] N. Dimmock and I. Maddison. Peer-to-peer collaborative spam detection. Crossroads, 11(2):4, [3] S. Dritsas, J. Soupionis, M. Theoharidou, J. Mallios, and D. Gritzalis. SPIT Identification Criteria Implementation: Effectiveness and Lessons Learned. In Proceedings of the IFIP TC 11 23rd International Information Security Conference: Ifip 20th World Computer Congress, Ifip Sec 08, September 7-10, 2008, Milano, Italy, page 381. Springer, [4] J. Goodman, G. Cormack, and D. Heckerman. Spam and the ongoing battle for the inbox. Communications of the ACM, 50(2):33, [5] J. Peterson and C. Jennings. RFC 4474: Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP). (Proposed Standard), Aug [6] J. Posegga and J. Seedorf. Voice over IP: Unsafe at any Bandwidth? In Ubiquitous Services and Applications: Exploiting the Potential; EURESCOM Summit 2005: Conference Proceedings, April 2005, Marriott Hotel, Heidelberg, Germany, page 305. Margret Schneider, [7] V. Quinten, R. van de Meent, and A. Pras. Analysis of Techniques for Protection Against Spam over Internet Telephony. Lecture Notes in Computer Science, 4606:70, [8] J. Quittek, S. Niccolini, S. Tartarelli, and R. Schlegel. Prevention of Spam over IP Telephony (SPIT). NEC Technical journal, 1(2): , [9] J. Rosenberg. RFC 3857: A Watcher Information Event Template-Package for the Session Initiation Protocol (SIP). (Proposed Standard), Aug [10] J. Rosenberg and C. Jennings. RFC 5039: The Session Initiation Protocol (SIP) and Spam. (Informational), Jan [11] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. RFC 3261: SIP: Session Initiation Protocol. (Proposed Standard), June Updated by RFCs 3265, 3853, 4320, 4916, 5393, 5621, 5626, [12] D. Sisalem, J. Floroiu, J. Kuthan, U. Abend, and P. H. Schulzrinne. SIP Security. Wiley Publishing, [13] Y. Soupionis, G. Tountas, and D. Gritzalis. Audio CAPTCHA for SIP-Based VoIP. In Emerging Challenges for Security, Privacy and Trust: 24th Ifip Tc 11 International Information Security Conference, SEC 2009, Pafos, Cyprus, May 18-20, 2009, Proceedings, page 25. Springer, [14] A. Sperotto, G. Vliek, R. Sadre, and A. Pras. Detecting Spam at the Network Level. In Proceedings of the 15th Open European Summer School and IFIP TC6. 6 Workshop on The Internet of the Future, page 216. Springer, [15] Symantec. MessageLabs Intelligence Report, May Available at: May FINAL.pdf (Accessed November 2009). [16] L. Von Ahn, M. Blum, and J. Langford. Telling humans and computers apart automatically. COMMUNICATIONS OF THE ACM, Vol. 47:Page 57 60, 2004.