<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v = "urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content=text/html;charset=utf-8 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18702">
<STYLE>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</STYLE>
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
</HEAD>
<BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px"
id=MailContainerBody lang=EN-US leftMargin=0 link=blue topMargin=0 bgColor=white
vLink=purple CanvasTabStop="true" name="Compose message area">
<DIV><FONT color=#000080 face=Tahoma>Ahmed </FONT></DIV>
<DIV><FONT color=#000080 face=Tahoma>One Q.</FONT></DIV>
<DIV><FONT color=#000080 face=Tahoma>How did you solved this billing issue with
your telco ???</FONT></DIV>
<DIV><FONT color=#000080 face=Tahoma>Did you paid it all ??</FONT></DIV>
<DIV><FONT color=#000080 face=Tahoma>Or any negotiations worked?</FONT></DIV>
<DIV><FONT color=#000080 face=Tahoma></FONT> </DIV>
<DIV><FONT color=#000080 face=Tahoma>Aali</FONT></DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=ahmed_elnagar@rayacorp.com
href="mailto:ahmed_elnagar@rayacorp.com">Ahmed Elnagar</A> </DIV>
<DIV><B>Sent:</B> Sunday, January 16, 2011 10:24 PM</DIV>
<DIV><B>To:</B> <A title=kiwi.voice@gmail.com
href="mailto:kiwi.voice@gmail.com">Ki Wi</A> ; <A title=matthnick@gmail.com
href="mailto:matthnick@gmail.com">Nick Matthews</A> </DIV>
<DIV><B>Cc:</B> <A title=cisco-voip@puck.nether.net
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A> </DIV>
<DIV><B>Subject:</B> Re: [cisco-voip] E1 call Fraud + h.323 Gw</DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">I
had a similar problem with a 100K USD bill over 3 months and it is the same
problem…never give a voice gateway internet access, also you may consider some
access lists, CORs,…etc to prevent this hacking.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Arial','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Best
Regards,<o:p></o:p></SPAN></P>
<P style="BACKGROUND: white" class=MsoNormal><SPAN
style="FONT-FAMILY: 'Arial','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Ahmed
Elnagar | CCIE#24697 Voice</SPAN><SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> <A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>
[mailto:cisco-voip-bounces@puck.nether.net] <B>On Behalf Of </B>Ki
Wi<BR><B>Sent:</B> Sunday, January 16, 2011 12:41 PM<BR><B>To:</B> Nick
Matthews<BR><B>Cc:</B> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><B>Subject:</B>
Re: [cisco-voip] E1 call Fraud + h.323 Gw<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<DIV>
<P class=MsoNormal>I have this problem recently also with one of the customer
who's router is connected to Internet directly. Luckily the telco inform them
about it.<o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><o:p> </o:p></P></DIV>
<DIV>
<P class=MsoNormal>When I remote in, it is still happening. They are actually
using sip 5060 to make outgoing call. What I did was using acl to block 5060
both tcp and udp. I blocked sccp and h323 as well. All of them I set to log but
only seems like it's hitting 5060 only<BR><BR>Sent from my iPhone<o:p></o:p></P>
<DIV>
<P class=MsoNormal>Pls pardon my fat fingers.<o:p></o:p></P></DIV></DIV>
<DIV>
<P style="MARGIN-BOTTOM: 12pt" class=MsoNormal><BR>On Jan 16, 2011, at 5:19 PM,
Nick Matthews <<A
href="mailto:matthnick@gmail.com">matthnick@gmail.com</A>>
wrote:<o:p></o:p></P></DIV>
<BLOCKQUOTE style="MARGIN-TOP: 5pt; MARGIN-BOTTOM: 5pt">
<DIV>
<P style="MARGIN-BOTTOM: 12pt" class=MsoNormal>I have not seen a case of this
that was not caused by having an internet reachable router with port 5060 TCP
or UDP open. I have these shut down on my home router and I consistently
see scans. You should always shut down ports TCP/UCP 5060 and TCP 1720
on your router for outside interfaces. Maybe your NAT is not a PAT also,
and it forwards all ports through. NAT is not inherently a security
device, and should not be assumed so.<BR><BR>This has been addressed in
15.1(2)T through some more specific restrictions as
well.<BR><BR>-nick<o:p></o:p></P>
<DIV>
<P class=MsoNormal>On Sat, Jan 15, 2011 at 11:50 PM, Jawad A Hai <<A
href="mailto:ahjawad@hotmail.com">ahjawad@hotmail.com</A>>
wrote:<o:p></o:p></P>
<DIV name="Compose message area">
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">Hello
Jason,</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">The CME has intenret
accessibility, but with Natted IP.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">Its behind firewall,
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">I think we were hacked
by those pay phone gangs,</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">they have some how
scanned the system for the CLID manipulation, once they found the matching
four digit DID, they have started sending calls using that
DID.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">I traced the calls,
they were going to "dial to win " hold your call as long as to win prizes,
blah blah.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">I don’t have any call
pattern.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">But what amazes with
the sophistication of those gangs, it was done deliberately during
weekend.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">I see SIP call legs in
call logs, I don’t have SIP configured in the CME, but I don’t have in " h.323
to sip and sip to h.323 " conversion in voice service
voip.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">Still not sure how was
it done, with CLID manipulation.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: navy">Please share any
ideas.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P></DIV>
<DIV>
<DIV>
<P style="BACKGROUND: whitesmoke" class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> <A
title=jason.aarons@us.didata.com href="mailto:jason.aarons@us.didata.com"
target=_blank>Jason Aarons (US)</A> <o:p></o:p></SPAN></P></DIV>
<DIV>
<P style="BACKGROUND: whitesmoke" class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">Sent:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> Sunday, January
16, 2011 6:35 AM<o:p></o:p></SPAN></P></DIV>
<DIV>
<P style="BACKGROUND: whitesmoke" class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">To:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> <A
title=ahjawad@hotmail.com href="mailto:ahjawad@hotmail.com"
target=_blank>Jawad A Hai</A> ; <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A>
<o:p></o:p></SPAN></P></DIV>
<DIV>
<P style="BACKGROUND: whitesmoke" class=MsoNormal><B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt">Subject:</SPAN></B><SPAN
style="FONT-FAMILY: 'Tahoma','sans-serif'; FONT-SIZE: 10pt"> RE: [cisco-voip]
E1 call Fraud + h.323 Gw<o:p></o:p></SPAN></P></DIV></DIV></DIV>
<DIV>
<DIV>
<DIV>
<P class=MsoNormal><o:p> </o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: #1f497d; FONT-SIZE: 11pt">Hopefully the
CME doesn’t have any Internet accessability? It’s behind a firewall
right?</SPAN><o:p></o:p></P>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN
style="COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN><o:p></o:p></P>
<DIV>
<DIV
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: windowtext 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><B><SPAN style="FONT-SIZE: 10pt">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt"> <A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>
[mailto:<A
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</A>]
<B>On Behalf Of </B>Jawad A Hai<BR><B>Sent:</B> Saturday, January 15, 2011
1:21 PM<BR><B>To:</B> <A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><B>Subject:</B>
[cisco-voip] E1 call Fraud + h.323 Gw</SPAN><o:p></o:p></P></DIV></DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal> <o:p></o:p></P>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Hello
Group,</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Recently I faced a problem with one
of my client, who has got E1r2, DID/DOD.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">He has Cisco CME and Cisco Voice
Gateway.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Suddenly all 30 ports got busy with
international calls. All the calls are being generated by ONE IP Phone which
has got local extension 2000.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">This extension was translated to DID
number, so that any call goes out via this number takes the DID and any call
comes on this DID will land on this Phone.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">The CME was configured to access via
outside with live IP. ie Live IP to Local IP
(NAT).</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Now the thing here is all the calls
which were generated are international calls, we rebooted the gw, we rebooted
the CME it stayed same..once it reboots all 30 ports got busy with
international calls.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">calls going to african
countries/russian countries( dial codes belongs to these
countries).</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">When I changed the international
dial peer on the CME they stopped.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">But catch here is they have received
more than 100 k USD bill from TELCO. DEAD DEAD Bang
Bang.</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">What are the chances of toll Fraud
or any other way of hacking ?</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">OR could it be TELCO side
issue?</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Cuz I see mostly calls are being
generated by single DID number ??</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal><SPAN style="COLOR: navy">Aali</SPAN><o:p></o:p></P></DIV>
<DIV>
<P style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"
class=MsoNormal> <o:p></o:p></P></DIV></DIV>
<DIV style="TEXT-ALIGN: center" class=MsoNormal align=center>
<HR align=center SIZE=1 width="100%">
</DIV>
<P><B>Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you are
hereby notified that you have received this communication in error and that
any use or reproduction of this email or its contents is strictly prohibited
and may be unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it from your
computer. Thank you. </B><o:p></o:p></P></DIV></DIV></DIV>
<P style="MARGIN-BOTTOM: 12pt"
class=MsoNormal><BR>_______________________________________________<BR>cisco-voip
mailing list<BR><A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><o:p></o:p></P></DIV>
<P class=MsoNormal><o:p> </o:p></P></DIV></BLOCKQUOTE>
<BLOCKQUOTE style="MARGIN-TOP: 5pt; MARGIN-BOTTOM: 5pt">
<DIV>
<P
class=MsoNormal>_______________________________________________<BR>cisco-voip
mailing list<BR><A
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><A
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</A><o:p></o:p></P></DIV></BLOCKQUOTE></DIV>
<DIV> </DIV>Disclaimer: NOTICE The information contained in this message is
confidential and is intended for the addressee(s) only. If you have received
this message in error or there are any problems please notify the originator
immediately. The unauthorized use, disclosure, copying or alteration of this
message is strictly forbidden. Raya will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any malicious code or virus
being passed on. Views expressed in this communication are not necessarily those
of Raya.If you have received this message in error, please notify the sender
immediately by email, facsimile or telephone and return and/or destroy the
original message.
<P>
<HR>
<P></P>_______________________________________________<BR>cisco-voip mailing
list<BR>cisco-voip@puck.nether.net<BR>https://puck.nether.net/mailman/listinfo/cisco-voip<BR></BODY></HTML>