<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><tt>Hi Denis,</tt></p>
    <p><tt>Some interesting data! Here's some analysis:<br>
      </tt></p>
    <p><tt>1) First we have this detection suite:</tt></p>
    <table class="t1" style="table-layout: fixed; border-collapse:
      collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
      yandex-sans; font-size: 15px; font-style: normal;
      font-variant-ligatures: normal; font-variant-caps: normal;
      font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">
      <tbody>
        <tr class="r1" style="height: 12.75pt;">
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 0:12</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">270675427b234658</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">8102463894929</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
        </tr>
      </tbody>
    </table>
    <p><tt>This is due to the "cpm" throttling (> 5 cpm within the
        last 2 minutes) hitting. Once he makes a pause until 0:15, he is
        able to place more calls.</tt></p>
    <p><tt>2) Next, another detection:<br>
      </tt></p>
    <table class="t1" style="table-layout: fixed; border-collapse:
      collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
      yandex-sans; font-size: 15px; font-style: normal;
      font-variant-ligatures: normal; font-variant-caps: normal;
      font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">
      <tbody>
        <tr class="r1" style="height: 12.75pt;">
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 0:22</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">2d37337b576cdf52</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810213550011711</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
        </tr>
      </tbody>
    </table>
    <p><tt>This time it's due to the "total calls" hitting, since he had
        placed 29 calls, and the 30th one hits the "critical" threshold.<br>
      </tt></p>
    <p><tt>3) He seems to be able to place another call 3 hours later:</tt></p>
    <table class="t1" style="table-layout: fixed; border-collapse:
      collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
      yandex-sans; font-size: 15px; font-style: normal;
      font-variant-ligatures: normal; font-variant-caps: normal;
      font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">
      <tbody>
        <tr class="r1" style="height: 12.75pt;">
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 3:20</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">20580b68fb2d185b</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810355692075970</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">OK</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">780</td>
        </tr>
      </tbody>
    </table>
    <p><tt>and another 28 calls within the next 5 hours, before finally
        getting blocked again:</tt></p>
    <table class="t1" style="table-layout: fixed; border-collapse:
      collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
      yandex-sans; font-size: 15px; font-style: normal;
      font-variant-ligatures: normal; font-variant-caps: normal;
      font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
      left; text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255); text-decoration-style:
      initial; text-decoration-color: initial;">
      <tbody>
        <tr class="r1" style="height: 12.75pt;">
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 8:32</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">5f3aa44b6451bd4c</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810355692075972</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
          <td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
        </tr>
      </tbody>
    </table>
    <p><tt>So the "total calls" limit is hitting again, which is good.</tt></p>
    <p><tt>The question is: why did the "total calls" reset for this guy?
        One possible answer could be timezone-related. I'm not sure
        whether the "0:22" from the CDR correlates with the local OpenSIPS
        machine time. Remember that OpenSIPS resets all stats if it
        detects a "new day" or a "new interval". IMO, the day change is
        the most likely cause of this behavior.<br>
      </tt></p>
    <p><tt>Let me know if the above clears your questions. Also, one of
        your SIP statuses has a typo: "</tt><tt><span style="color: rgb(0, 0, 0); font-family: yandex-sans; font-size: 10.6667px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Fraud_detectead"<tt>.</tt></span></tt></p>
    <p><tt>Cheers,<br>
      </tt></p>
    <pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
    <div class="moz-cite-prefix">On 04.04.2018 14:00, Denis via Users
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:446851522839606@web54g.yandex.ru">
      <div>Liviu, and another interesting case.</div>
      <div>Here, <span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;"><a
            href="https://yadi.sk/i/-vRrJXtz3U5m2Z"
            moz-do-not-send="true">https://yadi.sk/i/-vRrJXtz3U5m2Z</a>, you
          can find cdr of the fraud case.</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">In
          the table:</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">time
          - time of the call</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">callid
          - sip callid</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_domain
          - source ip</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_user
          - caller (from one number)</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">dst_user
          - callee</span></div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">sip_reason
          and duration - column from acc table.</span></div>
      <div> </div>
      <div><span
          style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">Several
          sip callid with the same value deal with serial forking.</span></div>
      <div> </div>
      <div><font face="yandex-sans, arial, sans-serif"><span
            style="font-size:15.0016px;white-space:normal;">So,
            sip_reason "fraud_detected" means that fraud module detected
            bad calls.</span></font></div>
      <div>Why do we have a situation when after fraud detected there
        are successful bad calls?</div>
      <div> </div>
      <div>Fraud profile is the same as mentioned early.</div>
      <div> </div>
      <div>Thank you.</div>
      <div> </div>
      <div>-- </div>
      <div>С уважением, Денис.</div>
      <div>Best regards, Denis</div>
      <div> </div>
      <div> </div>
      <div> </div>
      <div> </div>
      <div> </div>
      <div>03.04.2018, 18:28, "Liviu Chircu" <a class="moz-txt-link-rfc2396E" href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div>
      <blockquote type="cite">
        <div bgcolor="#FFFFFF">
          <p>Hmmm... indeed, the "sequential calls" only reset if you
            dial a different number.</p>
          <p>If the other stats reset at midnight/interval change, I
            don't see why this specific one should be different. To me,
            it looks like a bug. Do you agree?</p>
          <pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
          <div>On 03.04.2018 16:49, Denis via Users wrote:</div>
          <blockquote type="cite"
            cite="mid:1940771522763382@web15g.yandex.ru">
            <div>Hello Liviu!</div>
            <div> </div>
            <div>I am sorry, i totally missed one important thing -
              serial forking)))</div>
            <div>I.e. i had 52 records in accounting, but several of
              them leads to one call.</div>
            <div>As a result i had exactly 29 calls before fraud module
              became block subsequent calls.</div>
            <div> </div>
            <div>About counters reset i understood. Thank you.</div>
            <div> </div>
            <div>The last question about "sequential_calls". This
              counter does not reset? Even in manual mode?</div>
            <div> </div>
            <div>Thank you.</div>
            <div> </div>
            <div>-- </div>
            <div>С уважением, Денис.</div>
            <div>Best regards, Denis</div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div>03.04.2018, 15:30, "Liviu Chircu" <a
                href="mailto:liviu@opensips.org" moz-do-not-send="true"><liviu@opensips.org></a>:</div>
            <blockquote type="cite">
              <div bgcolor="#FFFFFF">
                <p>Hi Denis,</p>
                <p>Regarding the "52 calls" vs. 25/30 limits, are you
                  sure all 52 calls were made by the same user? Keep in
                  mind that all fraud_detection module stats are
                  per-user counters, and not global counters. If they
                  really were all made by the same user, please let me
                  know and I will double-check my tests.</p>
                <p>The "cpm", "total_calls" and "concurrent_calls" reset
                  either on an interval change or at midnight (new day
                  ahead). This leads to a possible undetected abuse of
                  up to 2x your provisioned "cpm", "total_calls" or
                  "concurrent_calls", if the malicious user places
                  "limit - 1" events before the reset, followed by
                  another "limit - 1" events past the reset. If this is
                  too much for you, then your provisioned limits
                  (thresholds) are incorrect, and you should simply cut
                  them in half.</p>
                <p>Best regards,</p>
                <pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
                <div>On 22.03.2018 09:59, Denis via Users wrote:</div>
                <blockquote type="cite"
                  cite="mid:181311521705588@web5g.yandex.ru">
                  <div>Hello!</div>
                  <div> </div>
                  <div>Is there any idea about the problem?</div>
                  <div> </div>
                  <div>Thank you.</div>
                  <div> </div>
                  <div>-- </div>
                  <div>С уважением, Денис.</div>
                  <div>Best regards, Denis</div>
                  <div> </div>
                  <div> </div>
                  <div> </div>
                  <div> </div>
                  <div> </div>
                  <div>16.03.2018, 15:22, "Denis via Users" <a
                      href="mailto:users@lists.opensips.org"
                      moz-do-not-send="true"><users@lists.opensips.org></a>:</div>
                  <blockquote type="cite">
                    <div>Hello!</div>
                    <div> </div>
                    <div>I am sorry that it was early, but anyway.</div>
                    <div> </div>
                    <div>Server:: OpenSIPS (2.2.5 (x86_64/linux))</div>
                    <div> </div>
                    <div>Fraud_module has been activated.</div>
                    <div> </div>
                    <div>Profile data</div>
                    <div> </div>
                    <div><img
                        src="cid:part6.2C075D81.A09D7ABE@opensips.org"
                        class=""></div>
                    <div> </div>
                    <div>17.02.18 20:55 Opensips received first fraud
                      call.</div>
                    <div>And before Opensips detected fraud there were
                      52 yet calls to 810 prefix.</div>
                    <div> </div>
                    <div>First question is why it didn`t detected fraud
                      early (dialing with total_calls, for example)?</div>
                    <div> </div>
                    <div>Then.</div>
                    <div> </div>
                    <div>Till the end of 17.02 Opensips blocked the
                      calls from client to 810, but in 18.02 i can see
                      success fraud calls to 810 from the client again.</div>
                    <div> </div>
                    <div>Second question is why? Opensips resets count
                      every new day?</div>
                    <div> </div>
                    <div>Thank you.</div>
                    <div> </div>
                    <div>-- </div>
                    <div>С уважением, Денис.</div>
                    <div>Best regards, Denis</div>
                    <div> </div>
                    <div> </div>
                    <div> </div>
                    ,
                    <p>_______________________________________________<br>
                      Users mailing list<br>
                      <a href="mailto:Users@lists.opensips.org"
                        moz-do-not-send="true">Users@lists.opensips.org</a><br>
                      <a
                        href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
                        moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
                  </blockquote>
                   
                  <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
                </blockquote>
              </div>
              ,
              <p>_______________________________________________<br>
                Users mailing list<br>
                <a href="mailto:Users@lists.opensips.org"
                  moz-do-not-send="true">Users@lists.opensips.org</a><br>
                <a
                  href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
                  moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
            </blockquote>
             
            <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
          </blockquote>
        </div>
        ,
        <p>_______________________________________________<br>
          Users mailing list<br>
          <a href="mailto:Users@lists.opensips.org"
            moz-do-not-send="true">Users@lists.opensips.org</a><br>
          <a
            href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
            moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
      </blockquote>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>