Just need a little understanding on a remote home worker STUN call receiving ghost "1001" calls. Being a single home worker on an ISP provided router/firewall, it is just set up as a STUN extension, no port forwarding, no sbc. It have been working fine for a couple of years plus this way. Before you suggest manual changes such as firewall restrictions or disabling direct sip in the phone web interface, I want to keep the setup simple for a home worker, but I want to understand something. If there is no port forwarding in the router to the phone, then my understanding is the ports should be dynamically open in the router, initiated by the phone contacting our PBX and registering, and those dynamic ports in the router should only listening for a response from our PBX ip address. If this is correct, then a SIP scanner from the internet should not be able to reach the phone, unless the IP is being spoofed, or perhaps there is a computer that is compromised on the local lan and the ghost call is being initiated locally. Is this correct?