[OpenSIPS-Users] Fraud Detection Module - Double Counting Calls?

Liviu Chircu liviu at opensips.org
Wed Jan 8 11:39:42 EST 2020 

Hi Jonathan,

I recall a recent series of fraud_detection fixes from September which 
include
a seq_calls fix [1].  The issue fixed was that too many prefixes were 
matching
and the stat would increase when it should not have.

So I'm not sure if it fixes your problem, but I definitely recommend 
trying out
the latest 2.4 fraud_detection, just to be sure the bug isn't fixed 
yet.  The
fixes did not make it to 2.3 since it was obsolete even then.

Best regards,

[1]: https://github.com/OpenSIPS/opensips/commit/3ac00a6d

Liviu Chircu
OpenSIPS Developer
opensips-solutions.com

OpenSIPS Summit, Amsterdam, May 2020
   opensips.org/events/Summit-2020Amsterdam
OpenSIPS Bootcamp, Miami, March 2020
   opensips.org/training

On 08.01.2020 18:27, Jonathan Mabrito wrote:
> Good Day All,
>
> We implemented the Fraud Detection module for our 2.3.6 setup in the 
> spring. Works great, but I noticed something off with it last month 
> that I cannot figure out. We started getting alerts about sequential 
> calls that do not add up and match the CDR data from the accounting 
> module. I do not want to post the CDR data, so hopefully descriptions 
> are fine. Based on our set thresholds, I started getting alerts from 
> the fraud triggered warnings (Use RabbitMQ to receive the messages and 
> translate those messages into emails):
>
> E_FRD_WARNING
>
> param::total calls
>
> value::12
>
> threshold::10
>
> user::18662710573
>
> called_number::99011966560690444
>
> rule_id::73
>
>
> The alert in that example said there were 12 sequential calls, but the 
> CDR data only shows 6 sequential calls.  I started noticing this been 
> the trend for other sequential patterns as well and verified this live 
> by making a call and checking the stats with the "show_fraud_stats" 
> command. If I place one call, the show command shows 2.
>
>
> I only check for fraud on the outbound side and this is my script 
> snippet for outbound calls:
>
>
> #Check Blacklist
> xlog("Checking global blacklist \n");
> if (!check_blacklist("global_blacklist"))
> {
> send_reply("403", "Blacklisted");
> exit;
> }
>
> #Check for Fraud
> xlog("Checking for fraud \n");
> check_fraud("$fU", "$rU", "1");
>
> xlog("Call is an outbound call\n");
> xlog("Before DialPlan Normalization: $ru \n");
>
> if(dp_translate("0", "$rU/$rU")){
> xlog("SIP URI Normalized to $ru \n");
>
> #Find the best route in Dynamic Rule Table for Set 0
> if(!do_routing("0")){
> xlog("No route found for $ru in routing group 0 \n\n");
> send_reply("404", "No route found");
> exit;
> }
>
>
> //Ommited some other stuff
>
>
> t_relay();
> exit;
>
>
> I am not sure if this is just sequential issue or if CPM, etc are 
> affected as well. Trying to determine that still.
>
> Any idea on this?
> -- 
> - Jonathan
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200108/9145e40f/attachment.html>

More information about the Users mailing list