Unconditionally forwarding port 5060 will open you up to SIP scanners. Unless your OBi has a specific X_InboundCallRoute setting, you are going to get unintended rings.
SPAM calls can be difficult to tie to a specific cause. They could be someone attacking your ATA in which case more restrictive configuration as mentioned above can help.
But you can't prevent someone from dialing your number directly, and unless you have some filtering enabled somewhere you will get rings. How to filter effectively without also rejecting wanted calls is the challenge.
If you must have SIP ALG enabled on a router and it is still the source of problems I would consider another router.
I run m0n0wall 1.8.1 here which requires no special configuration for my OBi200 to work flawlessly - pure plug and play, and it doesn't do UPnP either. There are undoubtedly many others that can offer similar freedom of special configuration, port forwards, etc.