SIP scanner string question

Hortoristic · November 05, 2013, 12:33:59 PM

I've been using this string for many months:
{(x|xx|xxx|xxxx|xxxx|xxxxxx|un@@.):},{ph}

Today some SIP scanner got through with my OBI history showing:
From '1001' SP4(1001)

Since I'm using DID forwarding (I think this is called URI) like below; I don't have a registered VOIP provider; I simply have a dummy SP configured that many DID's forward to:
19142888123@something.dyndns.info:5062

Maybe it's my misunderstanding how: {(x|xx|xxx|xxxx|xxxx|xxxxxx|un@@.):},{ph} works, but it seems like it would block "1001", right?

ianobi · November 05, 2013, 01:45:04 PM

That string should work, but is it protecting all of the InboundCallRoutes? If your UserAgentPorts are all at default then this implies sp3:
19142888123@something.dyndns.info:5062

However, the scanner call is coming in on sp4. You might want to consider changing the UserAgentPorts to more obscure values. Each InboundCallRoute needs its own protection. Sometimes that string, or sometimes other methods such as the Oleg method.

By the way, it may be a typo, but in your string you seem to have two "xxxx" and no "xxxxx".

Shale · November 05, 2013, 03:04:24 PM

http://www.obitalk.com/forum/index.php?topic=5467.0 has some discussion about thwarting SIP scanners.

giqcass · November 07, 2013, 10:28:23 PM

You could switch to the Oleg method. It's my favorite tecnique.

News:

SIP scanner string question

Hortoristic

ianobi

Shale

giqcass