Preventing "Unauthorized" Outbound Caller ID Numbe

JRayfield · Post by **JRayfield** » Sat Jan 27, 2024 11:06 am

1. Brekeke Product Name and Version:
Brekeke SIP Server - 3.14.5.17/563.2

2. Java version:
11.0.15

3. OS type and the version:
Windows Server 2012

4. UA (phone), gateway or other hardware/software involved:
3CX

5. Your problem:
I'm trying to only allow outbound calls from users who are using Outbound Caller ID numbers that are in an Alias List. This is to prevent users from attempting to spoof Outbound Caller ID numbers and using Caller ID Numbers that are not properly registered for calling 911.

My Matching Pattern that I have so far is:

$request = ^INVITE
$registered("registered-name") = true
$addr = ^3CX-PBX-IP-Address$
To = sip:(.+)@
From = sip:(.+)@

I think the From = sip:(.+)@ returns the Outbound Caller ID number that is being used for the call in this format: xxxxxxxxxx (the Outbound Caller ID number without a leading 1).

My Alias List will include something like this:

1xxxxxxxxxx as the Alias Name that is 'authorized'.

I tried this:

$alias.lookup("%2") = 1%2

This did not work. No outbound calls could be made. So I've obviously got the syntax wrong somewhere. But I know that I need to do an alias.lookup.

I think what I need is to Evaluate the $alias.lookup to see if it was successful or not, and if successful, then the Deploy Pattern will be executed, otherwise it won't.

How can this be done?

JRayfield · Post by **JRayfield** » Mon Jan 29, 2024 9:16 am

I tried this:

$alias.lookup("1%2") = (.+)

And it worked.

Now, any outbound calls, where the Outbound Caller ID that is being used, is not found in the Alias List (with a leading '1' in the Alias List entry), will not go through.

This prevents someone from spoofing a telephone number, or using any other number, other than a valid 10 digit telephone number that has been assigned to them, for Outbound Caller ID.

I'm finding that Alias Lists can be used for many things, really enhancing the value of BSS.

Laurie · Post by **Laurie** » Mon Jan 29, 2024 11:50 am

Hi

> $registered("registered-name") = true

Is "registered-name" always the same?
Is it the same as From-URI's caller ID?

> that is being used for the call in this format:
> xxxxxxxxxx (the Outbound Caller ID number without a leading 1).

Is there any chance that the caller might put a leading 1 as the prefix?
The definition below accepts both xxxxxxxxxx and 1xxxxxxxxxx, and also checks the length of the caller ID whether it is 10 digits or not.

From = sip:1?(.{10,10})@

JRayfield · Post by **JRayfield** » Mon Jan 29, 2024 6:32 pm

For a given user, the registered-name would be the same, but this system handles calls from many users, so there are many 'registered-name' entries. For each one of these, there is an outbound call set of Matching and Deploy patterns.

The outbound dialing that goes through BSS is from 3CX phone systems, so the incoming "Outbound Caller ID" should never have a '1' in it, however, I like your definition that allows for this.

I did just think of something else. I need to allow for 911 calls to go through, no matter what the Outbound Caller ID is set to, and only block calls that are going to 10/11 digit destinations, where the Outbound Caller ID is not in the Alias List. So, I need this to only block outbound calls that are not going to '911'.

JRayfield · Post by **JRayfield** » Tue Jan 30, 2024 9:45 am

So, now I have this:

$request = ^INVITE
$registered("registered-user") = true
$addr = ^3CX_IP-Address$
To = sip:(.+)@
From = sip:(.+)@
$alias.lookup("1%2") = (.+)

If the Outbound Caller ID telephone number, that shows up in the From header, isn't in the Alias List, then this Outbound Call will not go through.

But, I need an exception for when the To header is "911".

I'm not sure how to set up an exception here.

John

Laurie · Post by **Laurie** » Tue Jan 30, 2024 1:07 pm

If you want to check whether the caller ID is registered or not, you can define $registered like this.

$registered(From) = true

So you don't have to write "registered-name" for all $registered definitions.

JRayfield · Post by **JRayfield** » Tue Jan 30, 2024 1:29 pm

Ok. I'll look at possibly using $registered(From) - true.

So far, if the Outbound Caller ID is a 10 digit number, and it's in the Alias List, then any outbound number dialed will be accepted (will go through).

And if the Outbound Caller ID is NOT in the Alias List, then any outbound number dialed will not be accepted (will not go through).

Now I need an exception to the above, so that if the Outbound Caller is is NOT in the Alias List, but the number being called is '911', then that outbound call will be accepted (will go through).

Laurie · Post by **Laurie** » Tue Jan 30, 2024 3:29 pm

How about adding a new rule for 911 prior to the current rules?

[Matching Patterns]
$request = ^INVITE
To = sip:911@

[Deploy Patterns]
To = sip:911@<carrier_ip>

JRayfield · Post by **JRayfield** » Tue Jan 30, 2024 5:21 pm

Each user has a 'code' assigned to them (a 6 digit number) that is prepended to the telephone number that they're dialing. This allows us to track the call through our upstream provider for billing purposes. This does mean that I have an 'Outbound' Matching/Deploy Pattern for each user. It's a lot of entries in the Dial Plan, but necessary.

To duplicate this with '911' calls, as you suggest, would mean an extra Matching/Deploy Pattern for each user. It's doable, just a lot more information to enter into BSS. But, this may be the best way to do it (and simplest).

John

Laurie · Post by **Laurie** » Tue Jan 30, 2024 10:36 pm

Who put a prepended 6 digit number? Is it a calling user? or Dial Plan?
Is a caller ID paired with a unique 6 digit number?

JRayfield · Post by **JRayfield** » Wed Jan 31, 2024 10:16 am

The 6 digit prepended number is attached in BSS in the Deploy Pattern for each user, as the outbound call is processed.

The Outbound Caller ID is not paired, but the Registered User is paired, along with the Registered User's IP address of their 3CX IP PBX.

So, a combination of Username/Password and IP address are being used for Authentication of each user, and then the Deploy Pattern for each user is where the unique 6 digit number is appended to the telephone number that they have dialed.

John

Laurie · Post by **Laurie** » Wed Jan 31, 2024 12:47 pm

> $registered("registered-name") = true
> $addr = ^3CX-PBX-IP-Address$

It can be written as the following.

Code: Select all

$regAddr("registered-name") = ^(.+):
$addr = %1

With the above, you don't have to write 3CX-PBX-IP-Address.

JRayfield · Post by **JRayfield** » Thu Feb 01, 2024 5:24 pm

That last bit of code could save some time when entering new users, since I wouldn't have to look up their IP PBX public IP address.

I've got a question regarding this code:

From = sip:1?(.{10,10})@

I think I understand the .{10,10} portion - Match any character, at least 10 times, but no more than 10 times. Correct?

But what about the '?'? I can't find any reference to that in the documentation (or wiki) for that in a Dial Plan.

Laurie · Post by **Laurie** » Thu Feb 01, 2024 6:18 pm

> .{10,10} portion - Match any character, at least 10 times, but no more than 10 times. Correct?

Yes. So it can be .{10}

> But what about the '?'? I can't find any reference to that in the documentation (or wiki) for that in a Dial Plan.

? means zero or one occurrences of the preceding element.
so sip:1?(.{10})@ matches both sip:1xxxxxxxxxx@ or sip:xxxxxxxxxx@

FYI: https://en.wikipedia.org/wiki/Regular_e ... c_concepts

JRayfield · Post by **JRayfield** » Thu Feb 01, 2024 7:52 pm

Thanks Laurie! I want to learn more about Regular Expressions. I've wondered if there was a way to do more along the lines of 'IF' statements in other programming languages. I see there is, using the correct Regular Expressions. This is cool!