Spam Calls

Discussion in '3CX Phone System - General' started by Biber, Dec 18, 2017.

Thread Status:
Not open for further replies.
  1. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Hi,

    every day, I get spam calls from a phone which is named "test" I cant' see a number or an IP or something else in the log. If I pick up the call I hear 30 sec nothing, then its hanging up.

    What can I do?
     
  2. eddv123

    eddv123 Well-Known Member

    Joined:
    Aug 15, 2017
    Messages:
    1,217
    Likes Received:
    173
    Hi,

    Is it at the same time of day to the same extension ? either way if it is every day then it should be fairly easy to trace either using 3CX VERBOSE logging or a PCAP/Wireshark trace.

    Also worth checking your 3CX System for any extensions, ring groups, trunks etc called "test" as this is normally a common name used when setting up and in the "testing" phase of a system.
     
  3. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    If there is nothing in the 3CX logs then it is most likely someone using a SIP scanner. This is when someone from the outside is scanning various IPs looking for open ports. As 5060 is a common port and known to be for SIP, when they find it, then they may start attacks to see whatever responses they can in an effort to do no good.

    In essence, they are dialing your extension directly causing it to ring and bypassing 3CX so there is no log. Folks often call these ghost calls. You hear no audio as your phone has local RTP set internally that are different than those set in 3CX and the firewall and as a result inbound audio is not able to be heard. They may however hear you. Just depends on how sophisticated they are with the tools being used.

    You should if at all possible, install rules in your firewall to only allow the IPs you need to traverse same for 5060 or your SIP port and then block or drop all others. If you indicate reject, the router will send a response to the attacker thereby letting them know they were onto something and they may start to scan for other weaknesses. Block or drop simply prevents them access, but sends no response. It makes it appear as if the port is closed. You should also have settings in your phones that can be used to prevent the unwanted. These are typically something along the line of accept SIP messaging from SIP proxy only or similar. This tells the phone that only SIP messaging from 3CX is to be allowed.
     
Thread Status:
Not open for further replies.