Help blocking SPAM calls


#1

We’ve been getting a TON of spam calls lately, something like a 10X increase in the number of calls. Most of the calls have the same or similar name, but the numbers keep changing so blacklisting by the number doesn’t work.

Is there a way to blacklist based on the name string or pattern in the name?

thx
mike


#2

What are you using as the Firewall ? and do you have SIP calls lines on the UCM?


#3

I have PFSense as a firewall. The SPAM calls are being directed at my DID. I am using VOIP for the trunk, but it’s encrypted and outbound only connections from the UCM to the SIP provider. I am very sure it’s not someone connecting in to my UCM from the Internet.

These are all credit card applications, calls from “apple tech support” etc…


#4

Block by name or similar string is not possible. The system looks at numbers as do others. The only thing I can suggest is the registering for the do not call list being that you are in the US.


#5

Does this call are shown in CDR ?
If not then you have something in network that spam on 5060 port (they trace it as call)


#6

Yup. They all show up in the CDR the same way as legit calls from my SIP provider.


#7

Easiest way is use SIP settings NAT -> change external port to provider.
Also you should be able to drop them by not maching IP ? Ask provider for all Ip server he use then filer anything not their IP.


#8

Marcin, thanks for the advice, but the UCM is not on a DMZ or directly exposed to the internet. Port 5060 is not being served through the firewall. The UCM generates an OUTBOUND TCP connect to the SIP provider (voip.ms), and keeps the connection up so it can receive inbound calls.

The UCM does not have port 5060 or any other port open to the Internet. I don’t trust GS code to be directly exposed to the Internet, and I don’t even forward port 5060 on the firewall to the UCM.

The SPAM calls I am getting are coming in from voip.ms, hence my desire to block them from ringing at UCM.


#9

If the calls are coming from voip.ms (and can be seen in their CDR) then this absolutely has nothing to do with ghost calls or any other attack vector other than calls being directed to you via your DID on your ITSP.

From what you have said it would look like someone is targeting you via some sort of auto-dialer program that is able to change it’s outgoing CNUM. The only thing I can think of is:

  • Have an IVR answer your calls so that they do not ring through.

  • Engage voip.ms to see if they can assist in back tracing who is actually sending you these calls.

The first is a band-aid aimed at the symptom. The second is a hail-Mary call as I don’t think there is anything anyone can do as long as the calls keep coming in from random numbers.


#10

You may want to consider this approach.

It may or may not be a practical solution for your installation.

Have all calls answered by an IVR (Auto Attendant).

Have the IVR Greeting say something like “Please press any digit to continue you call”
or what ever may work best for your installation.

In the IVR:

In the “Basic Settings” set the “Response Timeout” to comfortable period for valid callers to respond.

Set the “Response Timeout Prompt Repeat” to 1.

Set “Key Pressing Events” 0 through 9 to the normal destination for incoming calls.

Set the “Timeout” event to “Goodbye”

SPAM calls should drop out before they reach the normal destination for incoming calls.

I hope that this may help you and it may be worth a try.


#11

Hi

i had the same issue and it was annoying me. wire-sharked the calls and found some
where being made directly to the phones and some to the phone system.

after a lots of investigating i discovered it was a common issue for lots of sip phone and the only way to stop it was to block the IP address from the ISP which are most common for these hack in our router. since I have done the the issue has stopped completely.

The following is the ranges i blocked in our router.

51.15.0.0/16
51.15.0.0/17
51.158.128.0/17
62.4.0.0/19
62.210.0.0/16
151.115.0.0/18
163.172.0.0/16
163.172.208.0/20
195.154.0.0/16
212.47.224.0/19
212.83.128.0/19
212.83.160.0/19
212.129.0.0/18

Regards
Andrew Maher


#12

What the requester has indicated is that these are legitimate (if there is such a thing) spam calls that are telephone calls coming from his provider, not rouge sip attacks. There are services out there that reportedly one can subscribe to and the calls will be filtered by that service and then allowed or blocked.

Your method of blocking ranges is workable, but:

  1. You have to keep updating as other hackers find you.
  2. You may run out of entry space in the firewall.

A better method is to set a rule that only allows the IPs that you want and then block the rest. If your router supports GEO then you might be able to employ that tool as well. The only downside is if you have a need for external devices whose IP may change, but even then that may be overcome in some cases.


#13

Needs a Mikrotik :wink:


#14

It seems you do not use embedded in UCM firewall. Try to activate Static defense and set up rules with allow your trusted IPs and drop any others. Mostly it could help. Also follow the guide http://www.grandstream.com/sites/default/files/Resources/UCM_Security_Manual.pdf


#15

Using the embedded UCM firewall is not recommended around here. We believe in using a proper, separate firewall to perform that function and to let the UCM do what it was really designed for; being a PBX.


#16

I am closing the thread as it has gotten off-track.

The original thread was about SPAM calls coming in as legitimate calls from the SIP provider. It is not about SIP attacks, ghost calls or firewall related.


#17