News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Blocking inbound SIP spam calls

Started by drdigital1, March 09, 2013, 09:15:47 AM

Previous topic - Next topic

drdigital1

I switched my AT&T landline to obi + anveo in order to get rid of telemarketer calls. This worked out perfectly.
A few weeks ago I switched ISP (from Comcast to AT&T; AT&T supplies the gateway so I also have a new router because of the switch). Since then, I've been getting (at 4AM or so!) SIP spam calls (anveo logs, of course,do not show these calls). Calls had a CID of 100, some were from SIPVICIOUS.
I implemented the changes shown at http://www.obitalk.com/forum/index.php?topic=1104.0 and with 3 digit calls blocked, no more SIP spam calls for a week. This morning, I got 3 calls from CID 1001 – since I only blocked 3 digit calls, these went through. I will block all calls with CID less than 10 digits but this doesn't look like an insurmountable obstacle for spammers – won't they use 10 digit CID?
Given that my problem has never happened with Comcast and with my old router, I believe that there must be a solution where only calls coming from anveo are allowed; everything else should be blocked. If not a router set up, then, for sure, it should be possible to set up obi (I use obi202) to block calls not coming from my registered service provider (anveo), shouldn't it?
Any recommendation?
Many thanks,

ianobi

Three actions can be taken:

1. Change:
Voice Services -> SP1 Service -> X_UserAgentPort : 5060
5060 is the most likely target as it's a standard SIP "listening port". I would change all the UserAgentPorts to some obscure range, maybe 5470, 5471 etc.

2. Set a good InboundCallRoute trap on each sp. Currently I'm using:
Voice Services > SP1 Service > X_InboundCallRoute:
{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
This stops calls with no CallerID and any CallerID with less than seven alphanumeric characters. CallerIDs such as 100, 1001, test1, admin etc are stopped.

3. Configure:
Service Providers -> ITSP Profile x -> SIP -> X_AccessList

Quote from RonR:

QuoteIt's possible for calls to come directly into your OBi. The OBi accepts SIP URI calls addressed to <anything>@your_ipaddress:5060 if SP1 is configured for SIP and <anything>@your_ipaddress:5061 if SP2 is configured for SIP.

You can prevent unauthorized SIP activity by configuring:

Service Providers -> ITSP Profile x -> SIP -> X_AccessList

with a list of IP addresses authorized to communicate with that particular SPx Service.

Generally, this list contains your service provider's IP address and the IP addresses of anyone you expect to get SIP URI calls from.

I have found just using items 1 and 2 above was enough to stop all nuisance calls.

It is odd how the spam calls always come in the early hours of the morning, no matter what time zone you live in  >:(


RFord

Would number 2 prevent calls with CNAM of "SIPVICIOUS"?  This happens to have 10 alpha characters.  I do agree that Item 1 & 2 would probably solve the bulk of the problems.  Recently I have gotten these calls on my IP Phone (Panasonic, registered to my VOIP provider, VOIP. ms) and the SIP port was not set to 5060 ( I was using 5070 and 5080 on the two lines the calls came in on) or was there any port forwarding from the Router to the IP Phone.  The caller ID was coming first as 1000, which I blocked and then they came in as 1001.  They seem to be getting very clever with their scanning abilities.  Maybe they are reading these forums to see what countermeasures people are using.   ;)

Quote from: ianobi on March 09, 2013, 09:39:44 AM
2. Set a good InboundCallRoute trap on each sp. Currently I'm using:
Voice Services > SP1 Service > X_InboundCallRoute:
{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
This stops calls with no CallerID and any CallerID with less than seven alphanumeric characters. CallerIDs such as 100, 1001, test1, admin etc are stopped.

ianobi

QuoteMaybe they are reading these forums to see what countermeasures people are using.   

I hope not, but you may be right! I've been sleeping well since I implemented 1 and 2 above, so I'm hopeful that we are ahead of the scanners/spammers/scammers   :)

If "SIPVICIOUS" is recorded in the OBi as Status > Call History > Peer Name, then it should not have any effect. The OBi only routes incoming calls according to CallerID, which it records in the OBi as Status > Call History > Peer Number. So it's whatever is recorded in Peer Number that matters when it comes to blocking a call.


drdigital1

Thanks for the quick reply. I already did the port change and blocked less than 10 digit CID.

I have not tried your 3rd suggestion (from RonR) though.


Quote

You can prevent unauthorized SIP activity by configuring:

Service Providers -> ITSP Profile x -> SIP -> X_AccessList

with a list of IP addresses authorized to communicate with that particular SPx Service.

Generally, this list contains your service provider's IP address and the IP addresses of anyone you expect to get SIP URI calls from.


This might be a stupid question, but how do I figure out the IP address for my service provider (anveo) that I should fill in?

ianobi

You could have a look at the bottom of this page:

http://www.anveodirect.com/about/faq

I think you just need the SIP ip addresses. The problem with anveo and other service providers is that they often use a range of ip addresses. The OBi can do a list, but not a range.

Have a search around on this forum for "accesslist" there are pros and cons for using it.

Diana

Anveo has three IP address:

Quote
sip.anveo.com:5010 (USA)              [72.9.149.69]
sip.ca.anveo.com:5010 (CANADA)    [67.212.84.21]
sip.de.anveo.com:5010 (GERMANY)  [176.9.39.206] (not 100% sure of this one)

Shale

Interesting... I wonder if http://www.anveodirect.com/about/faq only applies to Anveo Direct, or if that FAQ is out of date.


carl

Quote from: ianobi on March 09, 2013, 11:33:21 AM
The problem with anveo and other service providers is that they often use a range of ip addresses. The OBi can do a list, but not a range.




I will have to contact Localphone on that because they work with different providers for their DID's and there are often problems with changing things.
But it seems to me that the IP address  list is the best solution because anything else could cause problems with international calls where you often get weird or no caller ID's depending on the providers on both sides.

rcmobi

I had success with item # 2 posted in "Reply #1 on: March 09, 2013, 09:39:44am  by  ianobi."
My setup is obi100 with Google Voice on SP1 and Anveo on SP2 for e911 service only.
I read elsewhere that Google Voice is not as susceptable to SIP spam calls so I concentrated on SP2 Anveo service.
I made the change on April 11, 2013 and here is the note I made for myself to document Expert mode configuration changes I made.
=======================================================
>>>> 4/11/2013 Documenting original effort to block calls with no CallerID and
>>>> any CallerID with less than seven alphanumeric characters.
>>>> This was discovered on the OBiTalk forum with the search  SIP Spam Calls
>>>> ...
>>>> 2. Set a good InboundCallRoute trap on each sp. Currently I'm using:
>>>> Voice Services > SP1 Service > X_InboundCallRoute:
>>>> {(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
>>>> This stops calls with no CallerID and any CallerID with less than seven alphanumeric
>>>> characters. CallerIDs such as 100, 1001, test1, admin etc are stopped.
>>>> ...
Expert Configuration of SP2...Voice Service  SP2 Service
...X_InboundCallRoute DigitMap original value with OBiTalk box checked
ph

...X_InboundCallRoute DigitMap original value with Device Default box checked
ph

...X_InboundCallRoute DigitMap original value with neither Device Default nor OBiTalk box checked
ph

Revised DigitMap value used with both OBiTalk box and Device Default box NOT checked
{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

ianobi

rcmobi - welcome to the forum.

As often happens, things have moved on. See this post:

http://www.obitalk.com/forum/index.php?topic=5467.msg35387#msg35387

My preferred choice now is to use methods 2 and 4 in the above post.

YatLee

Thanks. Did you mean to change X_UserAgentPort OR X_KeepAliveServerPort?

Quote from: ianobi on March 09, 2013, 09:39:44 AM
Three actions can be taken:

1. Change:
Voice Services -> SP1 Service -> X_UserAgentPort : 5060
5060 is the most likely target as it's a standard SIP "listening port". I would change all the UserAgentPorts to some obscure range, maybe 5470, 5471 etc.

2. Set a good InboundCallRoute trap on each sp. Currently I'm using:
Voice Services > SP1 Service > X_InboundCallRoute:
{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
This stops calls with no CallerID and any CallerID with less than seven alphanumeric characters. CallerIDs such as 100, 1001, test1, admin etc are stopped.

3. Configure:
Service Providers -> ITSP Profile x -> SIP -> X_AccessList

Quote from RonR:

QuoteIt's possible for calls to come directly into your OBi. The OBi accepts SIP URI calls addressed to <anything>@your_ipaddress:5060 if SP1 is configured for SIP and <anything>@your_ipaddress:5061 if SP2 is configured for SIP.

You can prevent unauthorized SIP activity by configuring:

Service Providers -> ITSP Profile x -> SIP -> X_AccessList

with a list of IP addresses authorized to communicate with that particular SPx Service.

Generally, this list contains your service provider's IP address and the IP addresses of anyone you expect to get SIP URI calls from.

I have found just using items 1 and 2 above was enough to stop all nuisance calls.

It is odd how the spam calls always come in the early hours of the morning, no matter what time zone you live in  >:(



ianobi

I definitely mean X_UserAgentPort. Each sp has its own ip address/port. The port for sp1 is 5060, which is used by most SIP providers / devices as the port to listen for incoming calls. That's why the SIP scanners target 5060 and others around the range 5060 - 5070.

If you change the X_UserAgentPort to an obscure number, then your OBi will update your voip service provider in its next "register message", so your voip provider knows where to send calls to.