News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

SIP scanners

Started by lacibaci, September 06, 2012, 05:50:04 AM

Previous topic - Next topic

Mango

1) When considering the InboundCallRoute, the string to the left of the colon is known as the "peering-list".  This takes the format: caller-list > callee-list

In this case, the AuthUserName would be considered the "callee".  Does this answer your question?

2) I believe you're correct.

oleg

I think many questions were already answered, will try to clarify some...

Early suggestions (in this thread) to block scanners were based on matching caller. Caller is a string sent by calling party, that's how it represents itself. Provided that normally you receive calls with valid 10 digits caller id and that scanners use something like "10001", "admin", etc. you can filter them out. But what if scanner uses a right pattern? Your OBi will ring the phone...

My idea was to use callee id instead. The way is documented in Inbound Call Route part of OBi manual  (may be lacking more examples). Most of us use one or several providers, may-be receiving direct SIP calls - pretty much determined set of valid strings. All other calls may be dropped. That's what I made.
BTW, old good Sipura / Linksys adapters allow the only user_id, any call not matching it does not ring.

>('myname'|123456@.):ph1
This is to allow incoming calls to myname@myhost (direct SIP calls) and 123456_me@myhost (voip.ms pattern, all sub-accounts have the same prefix), forward both to ph1 (I do not use ph2 now) and disregard all other calls. Note that you may receive SIP calls from several providers on the same SPn, that's why you may want to combine several patterns. You need separate SPn only if you want to register with several providers.

>('1777xxxxxxx'):ph1
This should work for Callcentric, but I believe you may remove quotas and even parentheses.

>>> Aside from the nerdiness what advantage does one gain using SIP URIs vs the traditional way...
It may be independent from any provider (sometimes more reliable), completely free, always the best quality (direct traffic)... Not something necessary though...

>>> 3/20/2013 2:19:10 AM    INVITE sip:+972592280470@12.34.56.78:5078 SIP/2.0
This is from syslog. I have it enabled on OBi, most verbose and sent to the server.




QBZappy

Brilliant. This should put an end to sip scanners as long as they don't use the same service provider that you use. Then what would be the odds of that.

Don't you just hate it when you read something and say, why didn't I think of that!

Worthy of a sticky indeed.
Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.

lacibaci

I tested {>(1777xxxxxxx):ph} (without quotes) and it works. I also reverted back to port 5060 and enabled syslog. I'm hoping to see a lot of messages like this:
SIP DLG reject: 486
Then I'll know it's working  :)

Lac

oleg

Quote from: QBZappy on March 21, 2013, 09:21:35 PM
This should put an end to sip scanners as long as they don't use the same service provider that you use.

Scanners do not use service providers, they are trying to establish direct SIP call and trick your device to allow them pass through. Like place international call in the example above. In simple case with VOIP adapter it may ring your phone (in the middle of night  >:(). If you allow pass through (like calling from soft OBi to your home OBi and than into another trunk) - you have to be very cautious.

Quote from: lacibaci on March 22, 2013, 06:14:11 AM
SIP DLG reject: 486

This also happens when your line is busy :-)


ianobi

QuoteIf you allow pass through (like calling from soft OBi to your home OBi and than into another trunk) - you have to be very cautious.

Yes, I agree with this. Some of us have complex InboundCallRoutes allowing incoming calls to use outgoing trunks on our OBi. Many users will have "Trusted Callers" giving access to their auto attendant and maybe more. This means that there are still reasons for using CallerID and changing UserAgentPort to increase security.

I see the "oleg approach" as most useful anywhere you have an InboundCallRoute containing the rules like "ph" or "ph,ph2". I will be be changing my "ph" to something like {>('myname'|123456@.):ph}.





lacibaci

Quote from: oleg on March 21, 2013, 08:03:16 PM
...
>('1777xxxxxxx'):ph1
This should work for Callcentric, but I believe you may remove quotas and even parentheses.
...

I can confirm that for Callcentric following inbound route route works:

>1777XXXXXXX:ph

(replace X with your number)

Lac

RegularJoe

Ok I seem to be a dummy - How do I implement OLEG  method - I have OBI100 and Voip.MS - is there a step by step procedure with Voip.ms service.

Thank you for yor help ahead of time.

Regards
Joe

Shale

Quote from: RegularJoe on March 29, 2013, 04:31:13 PM
Ok I seem to be a dummy - How do I implement OLEG  method - I have OBI100 and Voip.MS - is there a step by step procedure with Voip.ms service.

See http://www.obitalk.com/forum/index.php?topic=5467.0

Method 4 is the Oleg method. Method 3 has a string that you could copy and paste for voip.MS.

giqcass

#109
QuoteDon't you just hate it when you read something and say, why didn't I think of that!

"why didn't I think of that!"  Was going through my head the whole time.  

I'm going to try adding a "User Defined Digit Map" and put all the user names in so I can easily edit them.  Thanks for a beautiful solution oleg.  I just added this topic to my personal OBi library.
Long live our new ObiLords!

Hyrules

I would be interested in setting up this method on Freephoneline. Anyone willing to help me ? We could add it to oleg howto after. I have already setuped a Syslog server to get info from the obi202. What should i be looking for in my logs to get the information needed ?

donly

Quote from: Hyrules on April 29, 2013, 01:30:35 PM
I would be interested in setting up this method on Freephoneline. Anyone willing to help me ? We could add it to oleg howto after. I have already setuped a Syslog server to get info from the obi202. What should i be looking for in my logs to get the information needed ?

I am using FPL and made the change a few weeks ago and so far no issues.
I just put this in my SP1 X_InboundCallRoute.

{>1xxxxxxxxxx:ph}

Hyrules

this line is not working here. The SIP request are all rejected.

donly

Quote from: Hyrules on May 16, 2013, 07:59:08 AM
this line is not working here. The SIP request are all rejected.

Did you replace the xxxxxxxxxx with your fpl number?

Hyrules

if you mean my phone number yes.

Shale

Quote from: Hyrules on May 30, 2013, 06:31:30 AM
if you mean my phone number yes.

Donly means your authorized user name or account number.  The AuthUserName can be read from your OBi or ObiTalk expert at
(Voice Services)SPx Service->AuthUserName.

This method is discussed as method 4 in https://www.obitalk.com/forum/index.php?topic=5467.0

Hyrules

basically yes that's my phone number. My AuthUserName is my phone number with FPL. It tried it earlier and it doesn't work. I'll try again.

carl

I noticed that over the last several months the scanner attacks diminished without me doing anything. Anyone else with the same experience?

lacibaci

Quote from: carl on May 30, 2013, 06:24:59 PM
I noticed that over the last several months the scanner attacks diminished without me doing anything. Anyone else with the same experience?

I still see many attempts in my log. Just last week, in about 2 minutes, some idiot from Vietnam tried 700 times to call an off shore number... I didn't even noticed until I checked logs a couple of days later.

Lac

dial.tone

I did the Oleg Method on my Obi202/GoogleVoice/SimonTelephonics SP1 line and it seems to have eliminated the 100/1000/1001 calls in the middle of the night.  Oleg, wherever you are, my wife says thanks!  However, I am still being deluged with calls in the middle of the afternoon that the caller id identifies as "Private Caller."  They seem to come 12-15 at a time over a period of about 30 min.  I went into GoogleVoice and checked the box to "block anonymous calls," but that doesn't seem to have changed anything.  These calls don't show up in my GoogleVoice call history and the fact that each call can ring my phone 20+ times without going to voice mail makes me think they bypassing GoogleVoice altogether.  I checked the SimonTelephonics website and the problem isn't addressed there and the ST forum is closed.  Thoughts on how to stop these troublesome Private-Caller calls?