<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.ecmsonormal, li.ecmsonormal, div.ecmsonormal
{mso-style-name:ec_msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.ecmsonormal1, li.ecmsonormal1, div.ecmsonormal1
{mso-style-name:ec_msonormal1;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.ecmsohyperlink
{mso-style-name:ec_msohyperlink;}
span.ecmsohyperlinkfollowed
{mso-style-name:ec_msohyperlinkfollowed;}
span.ecemailstyle17
{mso-style-name:ec_emailstyle17;}
span.ecmsohyperlink1
{mso-style-name:ec_msohyperlink1;
color:blue;
text-decoration:underline;}
span.ecmsohyperlinkfollowed1
{mso-style-name:ec_msohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
span.ecemailstyle171
{mso-style-name:ec_emailstyle171;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Well List, thank you for the assistance. I have run the
following commands to all of my routers to block SIP:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal>voip-gateway(config)#sip-ua <br>
voip-gateway(config-sip-ua)#no transport udp<br>
voip-gateway(config-sip-ua)#no transport tcp<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have not acted on H.323 as it doesn’t appear to be
listening on that port.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Pender, James
[mailto:James.Pender@PAETEC.com] <br>
<b>Sent:</b> Thursday, January 08, 2009 12:35 PM<br>
<b>To:</b> Ryan West; Mark Holloway; Corbett Enders; 'Ahmed Elnagar'<br>
<b>Cc:</b> 'VOIP Group'<br>
<b>Subject:</b> RE: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Don't forget TCP/5060. I assist my companies fraud team from time
to time in VoIP fraud, and when we find an open CME/CUBE or the like and we ask
for it to be secured, most people forget that SIP can run on both UDP and TCP
and they leave themselves vulnerable.</span><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>Ryan West<br>
<b>Sent:</b> Thursday, January 08, 2009 2:11 PM<br>
<b>To:</b> Mark Holloway; 'Corbett Enders'; 'Ahmed Elnagar'<br>
<b>Cc:</b> 'VOIP Group'<br>
<b>Subject:</b> Re: [cisco-voip] Fraud calls to Cuba - Please read</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yeah, just allow UDP/5060 to the proxy, deny all other SIP
traffic and allow the UDP ranges above 1024. Most SIP providers do not
use the 16384 – 32767 range for RTP streams.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-ryan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Mark Holloway
[mailto:mh@markholloway.com] <br>
<b>Sent:</b> Thursday, January 08, 2009 14:07<br>
<b>To:</b> 'Corbett Enders'; Ryan West; 'Ahmed Elnagar'<br>
<b>Cc:</b> 'VOIP Group'<br>
<b>Subject:</b> RE: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What is the proposed solution if CME is using a SIP Trunk to an
ITSP? I assume an ACL would be the best way to secure the router.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On
Behalf Of </b>Corbett Enders<br>
<b>Sent:</b> Thursday, January 08, 2009 10:37 AM<br>
<b>To:</b> Ryan West; Ahmed Elnagar<br>
<b>Cc:</b> VOIP Group<br>
<b>Subject:</b> Re: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So it turns out SIP 5060 is open, after running show ip sockets.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Interestingly enough, the hacker is connected to me right now
(though we’ve blocked international calls at the telco level).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>His IP is 124.217.250.240.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you read this article, <a href="http://www.honeynor.no/">http://www.honeynor.no/</a>,
it describes the attack in detail. I found the article by searching the phone
number initially dialed, 52555169000.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan West
[mailto:rwest@zyedge.com] <br>
<b>Sent:</b> Wednesday, January 07, 2009 9:50 PM<br>
<b>To:</b> Ahmed Elnagar; Corbett Enders<br>
<b>Cc:</b> VOIP Group<br>
<b>Subject:</b> RE: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If the router is connected to the Internet, both H323 TCP/1720
and SIP UDP/5060 need to blocked. I don’t remember the command
offhand, but on some versions of code it is show ip sockets. Check this
out to actually disable default SIP and H323 processing:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router">https://supportwiki.cisco.com/ViewWiki/index.php/How_to_disable_H.323_and_Session_Initiation_Protocol_(SIP)_services_on_TCP_ports_1720_and_5060_of_a_IOS_gateway_router</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-ryan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On
Behalf Of </b>Ahmed Elnagar<br>
<b>Sent:</b> Wednesday, January 07, 2009 23:13<br>
<b>To:</b> cenders@homesbyavi.com<br>
<b>Cc:</b> VOIP Group<br>
<b>Subject:</b> Re: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Verdana","sans-serif"'><br>
Wow...exaclty the same problem I had...but with PRI...I have a site in Egypt
that the user called us one day and informed that he has a bill from the Teleco
for 100,000$ for a period of 3 months and they never produce this amount of
calls...all calls were for random numbers and the call never exceeded 1 minute
and these random numbers happen to be starting with 00 which is the
internationl prefix here in Egypt.<br>
<br>
After long nights of troubleshootting...I found that the gateway was configured
to register SIP phones from the internet and I found an IP address from Mexico
city that is trying this random calls so frequent, the strange thing is that
the gateway was accepting these calls and route it to H323 side which relay the
call to the PRI.<br>
<br>
I did the following to ensure that it will not happen again...removed SIP at
all from the gateway...converted the gateway to MGCP so that every call that
will pass the gateway will need signalling from Callmanager and will leave a
record in the CDR. But the strange thing the problem contiuned...<br>
<br>
During troubleshooting we noticed something strange...alot of incoming calls
coming to the PRI from a certain local number...and it was 3 AM in the morning
we called this number and he told us that he know no one in this site and he
has a problem that he got high invoices from the Teleco too...so we come up
with this conculsion...seems that the CO. equipments has some problems and it
is generating calls on behalf of the user to random numbers...a strange thing I
know but till now this company still going to discussions with the teleco to
solve this problem.<br>
<br>
I suggest to do the followin...try to review CDR files and have a detailed bill
from your Teleco and try to compare these calls with the CDR calls maybe this
would help you...also try to activate some debugs and show commands "there
is some tools that can automate show command every 5 mins or so" to know
exactly when these calls happen and what is the source of it.<br>
<br>
Good luck with this strange issue.<o:p></o:p></span></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Verdana","sans-serif";color:black'>Thanks,</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><br>
<span style='color:black'>Ahmed Elnagar</span><o:p></o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Verdana","sans-serif"'>From: cenders@homesbyavi.com<br>
To: cisco-voip@puck.nether.net<br>
Date: Wed, 7 Jan 2009 20:26:56 -0700<br>
Subject: [cisco-voip] Fraud calls to Cuba - Please read<o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Hello
List,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>I’ve got a situation with 2 remote sites. Over the
course of several days in late November, somehow the analog POTS line in the
site (which we use for SRST backup) proceeded to make approx 4,940 calls to
Cuba. There wasn’t really a pattern to the calls. It started
with a couple of repeated calls to the same number and from that point, the
dialed number changed (not dialed in any sort of sequential pattern
either). Calls varied in duration from 0 seconds to many minutes
long. Sometimes the next call would happen right away and other times
there would be several minutes delay between calls. This proceeded to
occur over the course of about a day and a half until the POTS provider called
us and we blocked the line.</span><span style='font-size:10.0pt;font-family:
"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>The analog line in the show home serves 2 purposes. It is
connected to the SRST FXO port on the Cisco 2801 router and also connects to
the analog fax machine.</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>At this point, the POTS provider feels that somehow the 2801
router has been compromised and is being used to route calls out the FXO
port. We have a cordless phone on an ATA, and at first they felt this was
the source but I indicated that any calls from the cordless phone would leave
through our PRI in the main office, through the phone line on the FXO port.</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Even if someone had managed to guess our admin password for the
console of the router, I don’t believe that person sitting on the
Internet would be able to get a call to connect from their computer, through
the Internet, and leave out our FXO port in our site.</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>I’m wondering if anyone on the list has some thoughts as
to how the system could have been compromise or if it just isn’t
possible. The POTS line is actually a digital line provided by Shaw (a
local cable/telco in Alberta). I feel that their “digital”
phone terminal has been compromised though it isn’t connected to the
Internet in any way. One other possibility is old school phone phreaking
where someone has actually tapped into the physical line but they would have
been sitting outside in the cold for a very long time making these crazy calls.</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>I look forward to any insight the collective brain power of this
list can provide. The bill for these calls is over $6000.</span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Regards,</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'>Corbett Enders.</span><span style='font-size:10.0pt;font-family:
"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Corbett
Enders</span></b><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Network
Manager<br>
Homes by Avi - 2007 Canadian Builder of the Year.<br>
Tel: (403) 536-7170<br>
Fax: (403) 536-7171<br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><a
href="http://www.homesbyavi.com/"><span style='font-family:"Arial","sans-serif"'>www.homesbyavi.com</span></a></span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'> <o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>
<hr size=2 width="100%" align=center>
</span></div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>check
out the rest of the Windows Live™. More than mail–Windows
Live™ goes way beyond your inbox. <a
href="http://www.microsoft.com/windows/windowslive/" target="_new">More than
messages</a><o:p></o:p></span></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>No virus
found in this incoming message.<br>
Checked by AVG - http://www.avg.com<br>
Version: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49
AM</span><o:p></o:p></p>
</div>
</body>
</html>