<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.0">
</HEAD>
<BODY>
I haven't had much trouble with Nigeria and Romania as destinations, but special services numbers in the UK, Germany, Netherlands etc have all been a magnet for IRSF. I think your dollar notification is on the right path though since ultimately that is what matters, with the destination being a moving target.<BR>
<BR>
Some tips I can offer:<BR>
<BR>
Collect CDR's in as near to real-time as possible. If possible use radius from your SBC or a live feed from the softswitch. <BR>
<BR>
Get actual CDR's that show start and stop events for calls, not just billing records that are cut at the completion of a call. It is useless to be told after the fact that you just got burned on a series of 6 hour calls.<BR>
<BR>
Limit calls per Customer/IP/AOR to something reasonable. This prevents one exploited customer from nailing up 300 calls to high dollar destinations. You will need to feel this out in your own business model. <BR>
<BR>
Limit call length, and do it somewhere that it cannot be circumvented. This will prevent the guy that does manage to nail up a few dozen calls on an exploited account to Liberia from keeping them up for 12+ hours while you snooze away blissfully ignorant of your bank account emptying. I typically go for 3-4 hour limits but your customer base will make this determination. <BR>
<BR>
Finally, monitor your CDR's, constantly. Even a script that crawls your radius logs every few minutes looking for open calls to high dollar destinations and takes preventative measures (notification etc) when the potential cost of the call breaches a limit can save you tons of heartache. Obviously you will need to determine for yourself what is normal and what is not. <BR>
<BR>
There are of course dozens of other places to implement preventative measures, and the best approach is a multi-tiered one where you guard at the access side to your network (IPsec, locked down devices etc etc), core (methods described above), and even at the ordering process (filter as many fishy customers out before they are customers). All measures taken in the switch should be considered "last resort" since the fraudulent calls only get there if everything else fails, and once they do there is no way they wont cost you money. <BR>
<BR>
<BR>
Though at this point it would be worth discussing we collectively maintain a list of confirmed toll-fraud destinations. I have some ranges I have just black-holed since the offenders were quite persistent, and I am certain you all do too and a place where we could all share that information would be great. <BR>
<BR>
<BR>
<BR>
On Fri, 2009-10-23 at 14:29 -0400, Peter Beckman wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On Fri, 23 Oct 2009, Nick Vermeer wrote:
> I'd like tap the collective knowledge here for some fraud prevention and detection resources.
>
> Anyone have any information they can share on common fraudulent calls (i.e. Countries and associated digit strings)
> What metrics have worked best to match to detect fraud before it becomes a significant cost?
> What platforms have people used to analyze the raw data?
>
> Links or RTFM pointers appreciated :).
Nigeria and Romania are the biggest (+232 and +40). Any time a call is
made to either of those destinations we are notified.
We also get notified when people spend more than $10 our cost in
termination, anywhere, in a period of time.
---------------------------------------------------------------------------
Peter Beckman Internet Guy
<A HREF="mailto:beckman@angryox.com">beckman@angryox.com</A> <A HREF="http://www.angryox.com/">http://www.angryox.com/</A>
---------------------------------------------------------------------------
_______________________________________________ VoiceOps mailing list <A HREF="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</A> <A HREF="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</A>
_______________________________________________ VoiceOps mailing list <A HREF="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</A> <A HREF="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</A>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>