Reply
Frequent Advisor
Posts: 41
0

spam calls group 500

System details-

RP Group 500

firmware- 6.1.0-310348

 

User is getting strange spam calls that appear to originate from itself in the CDRs-

Ip address of unit is- 10.89.7.2 with a 1:1 public IP 

 

incoming spam call occuring every few minutes-

2240@10.89.7.2 100000@10.89.7.2 1230@10.89.7.2 2240@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 100000@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 2250@10.89.7.2 2260@10.89.7.2 1240@10.89.7.2 100000@10.89.7.2 2260@10.89.7.2 1240@10.89.7.2

 

 

And so on constantly. 

Unit is not registered to any gatekeeper/registrar but service has firewall rules to block all traffic except for three IPs that they use for VMRs. Can anyone advise why and how these calls are still coming through and why the CDRs are giving these strange orginiating addresses?

 

I've already read previous statements from polycom on this and this user is not going to invest in an rpad for a single unit at this site or any sort of vbp but why wouldn't the firewall stop these rules with a total blacklist on traffic except for several specific IP for a bridge?

 

Frequent Advisor
Posts: 41
0

Re: spam calls group 500

I know this is a tired issue but I feel this traffic is behaving strangely. We've got a cisco 3925 router with a deny all traffic to endpoint along with a whitelist for several specific IPs. Can anyone tell me how this traffic is managing to get through and why it shows up with the endpoints own IP? 

Frequent Advisor
Posts: 41
0

Re: spam calls group 500

Polycom staff ignoring this?

this was released 2 years ago with limited information and I notice polycom hasn't released anything relating to sip traffic though I highly doubt this is anything rare. 

http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/H_3_2_3...

 

regardless of the message why are the CDRs on the unit giving an originating IP as it's own IP? Is this a bug? Can someone please answer this? 

Frequent Advisor
Posts: 41
0

sip spam calls originating from endpoints own ip

 

firmware- 6.1.0-310348

 

User is getting strange spam calls that appear to originate from itself in the CDRs-

Ip address of unit is- 10.89.7.2 with a 1:1 public IP 

 

incoming spam call occuring every few minutes-

2240@10.89.7.2 100000@10.89.7.2 1230@10.89.7.2 2240@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 100000@10.89.7.2 1230@10.89.7.2 2250@10.89.7.2 2250@10.89.7.2 2260@10.89.7.2 1240@10.89.7.2 100000@10.89.7.2 2260@10.89.7.2 1240@10.89.7.2

 

And so on constantly. 

Unit is not registered to any gatekeeper/registrar but service has firewall rules to block all traffic except for three IPs that they use for VMRs. Can anyone advise why and how these calls are still coming through and why the CDRs are giving these strange orginiating addresses?

 

I've already read previous statements from polycom on this and this user is not going to invest in an rpad for a single unit at this site or any sort of vbp but why wouldn't the firewall stop these rules with a total blacklist on traffic except for several specific IP for a bridge?

I know this is a tired issue but I feel this traffic is behaving strangely. We've got a cisco 3925 router with a deny all traffic to endpoint along with a whitelist for several specific IPs. Can anyone tell me how this traffic is managing to get through and why it shows up with the endpoints own IP? 

 

regardless of the message why are the CDRs on the unit giving an originating IP as it's own IP? Is this a bug? Can someone please answer this? 

Polycom Employee & Community Manager
Posts: 13,512
0

Re: sip spam calls originating from endpoints own ip

Hello Steve,

welcome back to the Polycom Community.

Nobody is ignoring you but we are all volunteers and do this in our spare time. In addition there are certain rules that need to be followed:

 

Apr 07,2015 Question: How can I prevent Phantom calls to my Video Solution?

Answer: A local Firewall or a Polycom Firewall traversal solution can be utilized to stop this. In order to add this to a possible future Software version in the form of a whitelist please contact Luriep => here <= or Security Center: Security Bulletin Relating to Worldwide Botnet Dialing H.323-Capable Systems

 

and

 

  • Mar 8, 2012 Question: What kind of support should I expect from the Community?
    Clarification: Please check => here <=

Please work with your Polycom reseller on this. We need a business case for this.

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Highlighted
Regular Advisor
Posts: 95

Re: sip spam calls originating from endpoints own ip

[ Edited ]

Since your traffic is coming thru a Cisco 3925, have your posted this question on a Cisco Support Forum or contacted Cisco directly for support in configuring it? 

 

It could be the 3925 is receiving the SIP INVITE with no domain and inserting the destination IP as the embedded domain.  If so, maybe it can be configured to reject the INVITE.

 

A packet capture of the traffic in to/out of the 3925 might help.

JoeV