[VoiceOps] Fraud fun
Robert Dawson
RDawson at alliedtelecom.net
Thu May 19 14:41:13 EDT 2011
> -- It's just a matter of time before they remove the string "friendly-
> scanner" from their SIP messages.
They already have - I saw it at my previous employer. They changed the UA string to "suny" or "sunny", maybe "happy" something or other, don't remember the exact string and have no access to the systems any more.
I am surprised no one else has seen it???
Robert Dawson
> -----Original Message-----
> From: voiceops-bounces at voiceops.org [mailto:voiceops-
> bounces at voiceops.org] On Behalf Of Mark R Lindsey
> Sent: Wednesday, May 18, 2011 1:35 PM
> To: Alex Balashov
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] Fraud fun
>
> Cool use if iptables. There's definitely short-term tactical value in
> taking advantage of the signature "friend-scanner" --
>
> But we also know that the SIPvicious user population is getting more
> sophisticated.
>
> -- At our clients, they've slowed their scanning rate so they're not
> longer causing overload attacks.
>
> -- It's just a matter of time before they remove the string "friendly-
> scanner" from their SIP messages.
>
>
> mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey
>
>
>
> On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
>
> > Ghetto, but goes a long way in helping harden individual Asterisk
> servers on which one has no choice but to leave the SIP call agent open
> to the public Internet:
> >
> > iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-
> scanner' -j DROP
> >
> >
> > On 05/18/2011 12:42 PM, Spencer wrote:
> >
> >> I'm not sure what your requirements are but, we recently blocked all
> >> non-ARIN IP space from reaching our registrars. We had something
> similar
> >> happen and this has essentiallyeliminated the fraudulent calls we
> saw.
> >>
> >> Thanks,
> >> Spencer
> >>
> >> --------------------------------------------------------------------
> ----
> >> Message: 1
> >> Date: Tue, 17 May 2011 15:53:15 -0700
> >> From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>>
> >> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>"
> >> <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>>
> >> Subject: [VoiceOps] Fraud fun
> >> Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>>
> >> Content-Type: text/plain; charset="us-ascii"
> >>
> >> Hi folks,
> >> We have been hit twice in the past two days with calls to
> >> 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP
> is
> >> from Pakistan)
> >>
> >> It's the same user each time, I think he had a weak password, but it
> >> cost us over $100, which isn't too bad (we catch it quick) but I'd
> like
> >> to get it closer to $0. :-)
> >>
> >> Any good recommendations for IP ranges to block from incoming
> connections?
> >>
> >> Thanks,
> >>
> >> Darren Schreiber
> >> CEO / Co-Founder
> >>
> >> 2600hz | www.2600hz.com
> <http://www.2600hz.com><http://www.2600hz.com/>
> >> sip:darren at 2600hz.com <mailto:darren at 2600hz.com>
> >> tel:415-886-7901
> >>
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL:
> >>
> <https://puck.nether.net/pipermail/voiceops/attachments/20110517/f0aaf5
> b7/attachment-0001.html>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> VoiceOps mailing list
> >> VoiceOps at voiceops.org
> >> https://puck.nether.net/mailman/listinfo/voiceops
> >
> >
> > --
> > Alex Balashov - Principal
> > Evariste Systems LLC
> > 260 Peachtree Street NW
> > Suite 2200
> > Atlanta, GA 30303
> > Tel: +1-678-954-0670
> > Fax: +1-404-961-1892
> > Web: http://www.evaristesys.com/
> > _______________________________________________
> > VoiceOps mailing list
> > VoiceOps at voiceops.org
> > https://puck.nether.net/mailman/listinfo/voiceops
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list