I was getting an extreme high call volume through the SIP trunk. I was looked under [Reports] [Asterisk Info] that there were 60 channels open for the SIP trunk, all referring to AppDial.

I have done a number of things including disabling In-Call Transfers and removing T and t from [Settings] [Advanced Settings] [Dialplan and Operational] [Asterisk Dial Options] and [Asterisk Outbound Trunk Dial Options].

I can’t seem to determine how these calls are getting through. Looking for suggestions. Let me know if you need additional info. Thanx!

Look at your provider’s call detail logs. Do you see many calls that are abnormal for your system, for example to a country you don’t normally call? If so, find one of these calls in the Asterisk log (by default, 7 days are kept) and try to determine how the call was made. If you have trouble, paste the relevant log section at pastebin.freepbx.org and post the link here.

If you don’t see unexpected calls, this may not be fraud at all. For example, a configuration error or software failure may be preventing legitimate calls from disconnecting, and they are accumulating on your system.

Here is the Asterisk Info Endpoints Report

Endpoint: <Endpoint/CID…> <State…> <Channels.>
I/OAuth: <AuthId/UserName…>
Aor: <Aor…>
Contact: <Aor/ContactUri…> <Hash…> <RTT(ms)…>
Transport: <TransportId…> <BindAddress…>
Identify: <Identify/Endpoint…>
Match: <criteria…>
Channel: <ChannelId…> <State…> <Time…>
Exten: <DialedExten…> CLCID: <ConnectedLineCID…>

Endpoint: 101/101 Not in use 0 of inf
InAuth: 101-auth/101
Aor: 101 1
Contact: 101/sip:[email protected]:49152;x-ast-orig 83ebe7a8b6 Avail 54.620

Endpoint: 102/102 Not in use 0 of inf
InAuth: 102-auth/102
Aor: 102 1
Contact: 102/sip:[email protected]:5160;x-ast-orig- 8535eca1e4 Avail 58.507

Endpoint: 103/103 Not in use 0 of inf
InAuth: 103-auth/103
Aor: 103 1
Contact: 103/sip:[email protected]:5260;x-ast-orig- 829b0704be Avail 58.388

Endpoint: 104/104 Not in use 0 of inf
InAuth: 104-auth/104
Aor: 104 1
Contact: 104/sip:[email protected]:5360;x-ast-orig- 96ae64df54 Avail 64.358

Endpoint: 201/201 Unavailable 0 of inf
InAuth: 201-auth/201
Aor: 201 1

Endpoint: 202/202 Unavailable 0 of inf
InAuth: 202-auth/202
Aor: 202 1

Endpoint: 203/203 Unavailable 0 of inf
InAuth: 203-auth/203
Aor: 203 1

Endpoint: 501/501 Not in use 0 of inf
InAuth: 501-auth/501
Aor: 501 1
Contact: 501/sip:[email protected]:5060;x-ast-orig-h 9829bfbfba Avail 26.572

Endpoint: 90101/101 Unavailable 0 of inf
InAuth: 90101-auth/90101
Aor: 90101 100

Endpoint: 90102/102 Unavailable 0 of inf
InAuth: 90102-auth/90102
Aor: 90102 100

Endpoint: 99102/99102 Unavailable 0 of inf
InAuth: 99102-auth/99102
Aor: 99102 1

Endpoint: 9999102/9999102 Unavailable 0 of inf
InAuth: 9999102-auth/9999102
Aor: 9999102 1

Endpoint: Flowroute Not in use 0 of inf
OutAuth: Flowroute/41507135
Aor: Flowroute 0
Contact: Flowroute/sip:[email protected] 90aba1e506 Avail 15.660
Transport: 0.0.0.0-udp udp 3 96 0.0.0.0:5060
Identify: Flowroute/Flowroute
Match: 34.226.36.35/32
Match: 34.226.36.32/32
Match: 34.226.36.33/32
Match: 34.226.36.34/32
Match: 147.75.65.193/32
Match: 147.75.65.194/32
Match: 34.210.91.112/32
Match: 34.210.91.114/32

Endpoint: dpma_endpoint Unavailable 0 of inf

Objects found: 14

All of the endpoibts are valid excep those starting with ‘9’. They don’t show up in the Extensions module. I can’t seem to figure out how they got there. I’ve looked in multiple directories and cannot locate any configuration files for them. Where are they defined?

Those are normally how modules like Zulu and Sangoma Connect are registered to your server. That is not necessarily abnormal. Go to the Extensions module, and in the url change the end to display=devices and it should show all those additional devices.

Seems there is always something to learn. If I am no longer using the Zulu and Sangoma Connect, I assume I can delete them. Correct?

If you aren’t using them I would start by deleting the modules first. If those devices still exist afterwards then feel free to delete those too.

OK, I guess I was going down the wrong path. Here is additional info from the Call Event Logging :

(Formatting kinda goes to crap when you copy and paste)

None of these calls are valid. This is a recent example. As I mentioned in the opening message, I previously saw 60 channels open, all showing calls from [Caller] 101 and all calls were going to numbers in the 605 (South Dakota) area code. These call were eating up minutes on the SIP call plan like crazy. Over $300 worth in four days. I can’t seem to figure out where thay are hacking in. Looking for any suggestions.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.