That string should work, but is it protecting all of the InboundCallRoutes? If your UserAgentPorts are all at default then this implies sp3:
19142888123@something.dyndns.info:5062
However, the scanner call is coming in on sp4. You might want to consider changing the UserAgentPorts to more obscure values. Each InboundCallRoute needs its own protection. Sometimes that string, or sometimes other methods such as the Oleg method.
By the way, it may be a typo, but in your string you seem to have two "xxxx" and no "xxxxx".