<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p><tt>Hi Jonathan,</tt></p>
    <p><tt>I recall a recent series of fraud_detection fixes from
        September which include<br>
        a seq_calls fix [1].  The issue fixed was that too many prefixes
        were matching<br>
        and the stat would increase when it should not have.</tt></p>
    <p><tt>So I'm not sure if it fixes your problem, but I definitely
        recommend trying out<br>
        the latest 2.4 fraud_detection, just to be sure the bug isn't
        fixed yet.  The<br>
        fixes did not make it to 2.3 since it was obsolete even then.<br>
      </tt></p>
    <p><tt>Best regards,</tt></p>
    <p><tt>[1]: </tt><tt><a
          href="https://github.com/OpenSIPS/opensips/commit/3ac00a6d">https://github.com/OpenSIPS/opensips/commit/3ac00a6d</a></tt></p>
    <pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
opensips-solutions.com

OpenSIPS Summit, Amsterdam, May 2020
  opensips.org/events/Summit-2020Amsterdam
OpenSIPS Bootcamp, Miami, March 2020
  opensips.org/training</pre>
    <div class="moz-cite-prefix">On 08.01.2020 18:27, Jonathan Mabrito
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAL4wWrgmaDSZQbPMXedC3Pa59329LrM7yMCQJODWPW5TQmxrKg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Good Day All,
        <div><br>
        </div>
        <div>We implemented the Fraud Detection module for our 2.3.6
          setup in the spring. Works great, but I noticed something off
          with it last month that I cannot figure out. We started
          getting alerts about sequential calls that do not add up and
          match the CDR data from the accounting module. I do not want
          to post the CDR data, so hopefully descriptions are fine.
          Based on our set thresholds, I started getting alerts from the
          fraud triggered warnings (Use RabbitMQ to receive the messages
          and translate those messages into emails):</div>
        <div><br>
        </div>
        <div>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"> 
            E_FRD_WARNING</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">param::total
            calls</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">value::12</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">threshold::10</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">user::18662710573</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">called_number::99011966560690444</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">rule_id::73</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">The
            alert in that example said there were 12 sequential calls,
            but the CDR data only shows 6 sequential calls.  I started
            noticing this been the trend for other sequential patterns
            as well and verified this live by making a call and checking
            the stats with the "show_fraud_stats" command. If I place
            one call, the show command shows 2. </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">I
            only check for fraud on the outbound side and this is my
            script snippet for outbound calls:</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">#Check
            Blacklist<br>
            xlog("Checking global blacklist \n");<br>
            if (!check_blacklist("global_blacklist"))<br>
            {<br>
            send_reply("403", "Blacklisted");<br>
            exit;<br>
            }<br>
            <br>
            #Check for Fraud<br>
            xlog("Checking for fraud \n");<br>
            check_fraud("$fU", "$rU", "1");<br>
            <br>
            xlog("Call is an outbound call\n");<br>
            xlog("Before DialPlan Normalization: $ru \n");<br>
            <br>
            if(dp_translate("0", "$rU/$rU")){<br>
            xlog("SIP URI Normalized to $ru \n");<br>
            <br>
            #Find the best route in Dynamic Rule Table for Set 0<br>
            if(!do_routing("0")){<br>
            xlog("No route found for $ru in routing group 0 \n\n");<br>
            send_reply("404", "No route found");<br>
            exit;<br>
            }<br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">//Ommited
            some other stuff</p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt">t_relay();<br>
            exit;<br>
          </p>
          <p style="margin:0in;font-family:Calibri;font-size:11pt"><br>
          </p>
        </div>
        <div>
          <div>I am not sure if this is just sequential issue or if CPM,
            etc are affected as well. Trying to determine that still. </div>
          <div><br>
          </div>
          <div>Any idea on this? </div>
          -- <br>
          <div dir="ltr" class="gmail_signature"
            data-smartmail="gmail_signature">- Jonathan</div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
  </body>
</html>