Asterisk not seeing the inbound CNAM for one spammer's calls

I have one spammer that comes through periodically that has a CNAM of ‘async’ but asterisk doesn’t seem to actually see the caller-ID name, though packet captures of the calls show ‘async’. Other calls have their CNAM working just fine, seems to just be this one.
So I’m unable to blacklist their calls by their CNAM(they are changing their number every few calls so can’t block using their number).

Anyone seen this issue before? Comparing the packets from the ‘async’ calls and ones where asterisk shows the caller-ID name show no obvious differences…

Is the IP also changing every few calls?

It’s coming in via our main PSTN provider so same IPs as all other inbound calls.

Sip or analog/digital? if sip does sngrep show any difference ?

This is all SIP. I’m using voipmonitor to capture everything and wireshark to analyze for differences, no obvious differences in the SIP packets. I’m actually not sure that only this spammer’s calls are using CNAM ‘async’, I see 3 calls today with ‘async’ set but (since only 3 calls not sequential - may not be that spammer).

Just seems odd that asterisk doesn’t detect/show the CNAM for these.

Unless it is provided in a SIP header from the original caller (spammer), and passed through your carrier to your PBX, there is no CID Name on a call.

A couple basics you need to figure out:
Who are you paying for your CID lookups?
At what point are you doing CID lookups?

What part of the SIP message header is actually used for the CNAM in SIP?
From line?
Sip Display Info line?
Contact line?
I suppose this is buried in an RFC somewhere.

Not paying anyone, this info is coming from the SIP headers themselves. Which is why it seems odd that the packets have the name ‘async’ but asterisk is not showing it in the logs (and not blacklisting either).

So it’s coming from your provider? You can have them look into it as well.

Yes you are.

yep, I’ll probably ask them about it, mainly as I’m wondering if they are adding the ‘async’ CNAM. But regardless seems odd that asterisk acts as if it is not set.

sngrep conveniently lets you analyze transaction by transaction eash Session, also adds convenient filtering, finding all cases of ‘async’ would be trivial, wireshark on steroids for SIP

Yep. I’m using voipmonitor to monitor all of our calls, convenient with it’s GUI. Stores packet captures for each call so I can analyze in more detail when needed.

I could have voipmonitor alert on calls with ‘async’ CNAM and fire off a script to go blacklist the inbound number, but the inbound number changes fast enough I don’t think is worth the effort. Though I haven’t done enough analysis to see if they are using the same pool of numbers over a period of months, guess that’s next on the list!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.