I've been using this string for many months:
{(x|xx|xxx|xxxx|xxxx|xxxxxx|un@@.):},{ph}
Today some SIP scanner got through with my OBI history showing:
From '1001' SP4(1001)
Since I'm using DID forwarding (I think this is called URI) like below; I don't have a registered VOIP provider; I simply have a dummy SP configured that many DID's forward to:
19142888123@something.dyndns.info:5062
Maybe it's my misunderstanding how: {(x|xx|xxx|xxxx|xxxx|xxxxxx|un@@.):},{ph} works, but it seems like it would block "1001", right?
That string should work, but is it protecting all of the InboundCallRoutes? If your UserAgentPorts are all at default then this implies sp3:
19142888123@something.dyndns.info:5062
However, the scanner call is coming in on sp4. You might want to consider changing the UserAgentPorts to more obscure values. Each InboundCallRoute needs its own protection. Sometimes that string, or sometimes other methods such as the Oleg method.
By the way, it may be a typo, but in your string you seem to have two "xxxx" and no "xxxxx".
http://www.obitalk.com/forum/index.php?topic=5467.0 has some discussion about thwarting SIP scanners.
You could switch to the Oleg method. It's my favorite tecnique. :)