Stop abuse of caller entering system after Hours

cyberdocwi · October 27, 2014, 10:32pm

Hello,

We have a working FreePBX system 2.10.1.19 that has worked for a couple years now. Our telephone service is delivered by the cable company, delivering 4 analog lines into a Rhino RCB8FXX card. System works well – calls come in, calls go out, email is processed: life is great.

Then we found an 800 problem. According to the cable company, a caller started coming in on our 800 number, and then used our system to make an outbound call, some lasting for hours, and racking up phone charges.

I checked the internet access logs, and no problems there. You cannot reach our phone server from the internet, as it is protected by a firewall, and there are no port forwards for select access. I purposely designed it as such to avoid any internet problems.

My CallFlow:

– Check a time condition. In this case, it is after hours, so go to the IVR
– IVR states we are closed, please leave a message for 1 sales or 2 service
– Go to the VM collection extension (x390) and play the unavail message, and open a recording
– Assume call terminates

My log (posted below) shows this process flowing through, but has some considerations that I don’t understand:

a) CallerID number is shown to be the number the cable company claims we called
–> I expect that I should see an origin number, and a destination number

b) I do not see any dialed text going outbound…

–> Maybe this is just an inbound phone call on the 800 line, going to the VM box, and just sitting there until it disconnects / terminates. But then, why wouldn’t I have a huge vm recording like a normal voicemail?

Questions that I have for the forum:

Am I reading the call properly, that the call is coming in, using the toll-free line, and that by box is not redialing to make a new call?
Any idea where the VM recording went? I am puzzled why this evidence is not left here for us to examine. Is it possible for someone to trigger a recording, and make an outbound call?
Is the maxsecs parameter valid for this scenerio to limit the call?
Is there a way that the system could track the incoming number, and say if the same number calls 3x in a row, that it terminates the call? Note that these calls happened after hours, and there were no calls processed in-between.
Is there anything obvious that I am missing?

Because we are receiving analog from the cable company, I have no way to distinguish the 800 number from a normal toll call.

Thanks

cyberdocwi · October 27, 2014, 10:33pm

I was unable to post my log, “Sorry, new users can only mention 2 users in a post”

dicko · October 27, 2014, 11:52pm

If the outbound call is on the same line, then do you have three way calling allowed in your dahdi config or “up-line” by your provider itself? if on another line, do you have transfer allowed ? Either way, perhaps enable DTMF logging to check what’s going on, and a log of a “bad” call and anything pertinent that ensues, it is possible for analog lines to listen for DTMF codes dialed on the line to allow both “transfer” and “three way calling” behaviors to be honored on the audio stream, so the subversion might well be something that dahdi/asterisk can’t preempt.

miken32 · October 28, 2014, 10:20pm

Put it up on pastebin or similar.

SkykingOH · October 29, 2014, 1:49am

They are hacking a voicemail box and making the call. You probably have very simple voice mail passwords.

Turn off the transfer option on inbound calls and the ability to make calls from voicemail.

dicko · October 29, 2014, 1:53am

Maybe so, they hacked it well though by default that ability would be off, if the user set dialout to be from-internal, surely he would have remembered . . .

cyberdocwi · October 29, 2014, 2:36pm

Hello Everyone,

An update: We set a VM time limit of 2 minutes, and one of those calls came in. VM file was created, and still exists.

We acquired the file, and it is 2 minutes of nothing. No clicks or burps or anything. Dead silence.

So, we know that the person is calling in, and going into our VM, and the call is staying there. The bill from Time Warner is misleading, as the caller was entering our system, and remaining in our system.

I ran a check of the phone numbers doing this, and they all go back to a “not in service” number. Not surprising, as caller-id can be spoofed as easy as an email from Santa Claus.

And yes, the simple voice mail passwords need to be changed. I have recommended that to the customer before.

And I will be turning off the ability to make calls from voicemail, once I find the setting to do so.

Thanks,

Christian

dicko · October 29, 2014, 8:30pm

you can fix that with Comedian mail’s maxsilence=5 (or whatever) setting.