<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><tt>Hi Jonathan,</tt></p>
<p><tt>I recall a recent series of fraud_detection fixes from
September which include<br>
a seq_calls fix [1]. The issue fixed was that too many prefixes
were matching<br>
and the stat would increase when it should not have.</tt></p>
<p><tt>So I'm not sure if it fixes your problem, but I definitely
recommend trying out<br>
the latest 2.4 fraud_detection, just to be sure the bug isn't
fixed yet. The<br>
fixes did not make it to 2.3 since it was obsolete even then.<br>
</tt></p>
<p><tt>Best regards,</tt></p>
<p><tt>[1]: </tt><tt><a
href="https://github.com/OpenSIPS/opensips/commit/3ac00a6d">https://github.com/OpenSIPS/opensips/commit/3ac00a6d</a></tt></p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
opensips-solutions.com
OpenSIPS Summit, Amsterdam, May 2020
opensips.org/events/Summit-2020Amsterdam
OpenSIPS Bootcamp, Miami, March 2020
opensips.org/training</pre>
<div class="moz-cite-prefix">On 08.01.2020 18:27, Jonathan Mabrito
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAL4wWrgmaDSZQbPMXedC3Pa59329LrM7yMCQJODWPW5TQmxrKg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Good Day All,
<div><br>
</div>
<div>We implemented the Fraud Detection module for our 2.3.6
setup in the spring. Works great, but I noticed something off
with it last month that I cannot figure out. We started
getting alerts about sequential calls that do not add up and
match the CDR data from the accounting module. I do not want
to post the CDR data, so hopefully descriptions are fine.
Based on our set thresholds, I started getting alerts from the
fraud triggered warnings (Use RabbitMQ to receive the messages
and translate those messages into emails):</div>
<div><br>
</div>
<div>
<p style="margin:0in;font-family:Calibri;font-size:11pt">
E_FRD_WARNING</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">param::total
calls</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">value::12</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">threshold::10</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">user::18662710573</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">called_number::99011966560690444</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">rule_id::73</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">The
alert in that example said there were 12 sequential calls,
but the CDR data only shows 6 sequential calls. I started
noticing this been the trend for other sequential patterns
as well and verified this live by making a call and checking
the stats with the "show_fraud_stats" command. If I place
one call, the show command shows 2. </p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">I
only check for fraud on the outbound side and this is my
script snippet for outbound calls:</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">#Check
Blacklist<br>
xlog("Checking global blacklist \n");<br>
if (!check_blacklist("global_blacklist"))<br>
{<br>
send_reply("403", "Blacklisted");<br>
exit;<br>
}<br>
<br>
#Check for Fraud<br>
xlog("Checking for fraud \n");<br>
check_fraud("$fU", "$rU", "1");<br>
<br>
xlog("Call is an outbound call\n");<br>
xlog("Before DialPlan Normalization: $ru \n");<br>
<br>
if(dp_translate("0", "$rU/$rU")){<br>
xlog("SIP URI Normalized to $ru \n");<br>
<br>
#Find the best route in Dynamic Rule Table for Set 0<br>
if(!do_routing("0")){<br>
xlog("No route found for $ru in routing group 0 \n\n");<br>
send_reply("404", "No route found");<br>
exit;<br>
}<br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">//Ommited
some other stuff</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt">t_relay();<br>
exit;<br>
</p>
<p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
</p>
</div>
<div>
<div>I am not sure if this is just sequential issue or if CPM,
etc are affected as well. Trying to determine that still. </div>
<div><br>
</div>
<div>Any idea on this? </div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">- Jonathan</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</body>
</html>