Difference between revisions of "Dynamic Blacklist Functionality"

From Kolmisoft Wiki
Jump to navigationJump to search
Line 1: Line 1:
=Description=
Dynamic Blacklist functionality is based on a smart logic which puts a 'score' on the call by its Source Number, Destination Number and SIP signaling IP and allows routing calls with high score over different route.


Blacklist functionality is part of [[ Monitorings_Addon | Monitorings add-on]].
This functionality gives you ability to define Blacklist LCR. MOR reroutes all the calls, that have a score more than a defined threshold, to this Blacklist LCR. Dynamic Blacklisting is useful when system owner wants to route 'suspect' calls through different route than 'normal' calls.


Blacklist functionality Dynamic Routing is based on a smart logic which puts a 'score' on the call by its SRC, DST or SIP signaling IP and allows routing calls with high score over different route. This functionality gives you an ability to define LCR as Blacklist Providers group. These Providers work like any other [[Providers | Provider]] in MOR system. MOR reroutes all the calls, that have a score more than a defined threshold, to this Blacklist LCR.  
Example: calls from such countries as Nigeria, Sudan, etc. based on their IP/CallerID can be marked as 'suspects' and routed to some IVR or to the dead-end.
 
=Dynamic Blacklisting settings=
 
Dynamic Blacklisting settings are located in '''ADDONS''' -> '''Monitorings''' -> '''Dynamic Blacklisting''':
 
[[File:Dynamic bl menu.png]]
 
=How does it work=
 
When calls comes to MOR, system tries to find score for Source Number, Destination Number and SIP signaling IP. These scores are summed into single value:
 
TOTAL SCORE = DST SCORE + SRC SCORE + IP SCORE
 
Then total score is compared against defined Blacklisting Threshold value. If total score ir equal ir higher than Blacklisting Threshold value, system changes LCR to defined Backlisting LCR.
 
It is important to understand that Dynamic Blacklisting checks all three scores (DST, SRC and IP) before deciding whether call should be blacklisted (changed LCR) or not.
 
=Threshold=


This functionality is useful when system owner wants to route 'suspect' calls through different route than 'normal' calls.
Before using Dynamic Blacklisting you need to define Blacklisting Threshold values in '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Settings''':


Example: calls from such countries as Nigeria, Sudan, etc. based on their IP/CallerID can be marked as 'suspects' and routed to some IVR or to the dead-end.
[[File:Dynamic bl settings thresholds.png]]
 
You can use up to 3 different Threshold values but for simplicity we will use only first one.
 
Calculated Blacklisting total score will be compared to this value. If calculated Blacklisting total score is equal or higher than 100, User’s current LCR will be changed to Blacklisting LCR. If total score is lower than 100, User’s LCR will not be changed.
 
=Blacklisting LCR=
 
When calculated Blacklisting score is higher than Blacklisting Threshold, User’s LCR is changed to Blacklisting LCR.
 
This LCR may contain specific Providers or can be completely empty. In case of empty LCR, call will be hangup with code:
 
204 No suitable providers found
 
=How score is calculated=
 
When call comes to MOR, Blacklisting score is calculated by finding score for SRC, DST and IP in Blacklisting database.
 
For example, let’s explain how score is calculated for Destination Number (DST). Source and IP score is calculated in the same way.
 
When new number is dialed and it is not yet in Blacklisting database, MOR tries to assign score to number by checking Blacklisting prefix database, which can de defined in '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Destinations (DST)''' -> '''Prefix scores''':
 
[[File:Dynamic bl prefix scores.png]]
 
For example, if someone dials 93xxxxxx, MOR assigns score 70 to this number and puts this number along with score to Blacklisting database. Next time this number is dialed, MOR will know score by looking in Blacklisting database.
 
What happens when score is not set for prefix? For example, if someone dials 370xxxx but Prefix scores database does not have prefix for this number, then default score will be used. You can set default score in '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Settings''':
 
[[File:Dynamic bl settings default scores.png]]
 
'''Note:''' numbers with default score will not be saved to Blacklisting database. System will assume that numbers that are not present in Blacklisting database have default score and use that score when calculating Blacklisting score.
 
Same principle is used for SRC and IP score - '''when call comes MOR, Dynamic Blacklisting checks if DST/SRC/IP is in Backlisting database, if not then checks if prefix exists in Blacklisting prefixes database, if not then uses default Blacklisting score.'''


<br><br>
These 3 scores are summed (DST score + SRC score + IP Score) and compared against Blacklisting Threshold value. If total score is equal or higher, then User’s LCR will be changed to Blacklisting LCR.


=Configuration=
If you use only DST blacklisting, you may leave Default SRC and Default IP scores 0. This way it will be easier to calculate Blacklisting score (DST score + 0 + 0).


You can manage
=Blacklisting database=


* Single User settings in [[User_Details#Blacklists | User Details]]
You can check already blacklisted numbers in '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Destinations (DST)''':
* Global settings in '''ADDONS > Monitorings –> [[Monitorings_Addon#Monitorings_Settings | Settings]]'''
<br><br>
[[File:Monitorings_settings.png]]
<br><br>
'''Blacklist Feature enabled''' – enables Blacklists functionality in all system.


'''Threshold #1 - #3'''  – sum of SRC, DST and SIP signaling IP limit. If SRC, DST or SIP signaling IP scores sum, received during the call, is bigger than particular Threshold, call will be routed through selected LCR.  
[[File:Dynamic bl scores.png]]


Threshold #1 must be lower than Threshold #2, Threshold #2 must be lower than Threshold #3. 0 stand for Disabled Threshold.
In this page you can find, add, update or delete numbers.


'''LCR''' – [[LCR]] with Balcklist Providers. First one will be used when SRC, DST it IP scores sum will be between Threshold #1 and Threshold #2. Second LCR will be used when SRC, DST it IP scores sum will be between Threshold #2 and Threshold #3. And third LCR will be used when SRC, DST it IP scores sum will be higher than Threshold #3.
If you want to import numbers to Blacklisting database, use following format in CSV file:


'''Default scores''' – Default scores of SRC, DST or SIP signaling IP. There will be cases where MOR will not find a score for a given SRC, DST or SIP signaling IP. In each of the cases MOR will add the missing values from these settings.
number1;score
number2;score
number3;score


'''Use default blacklisting rules''' – check this to use [[Dynamic_Blacklist_Functionality#Blacklisting_Script_.28Intelligence.29|Blacklisting Script]] for SRC, DST or SIP signaling IP scoring.
=SIP signaling IP=


This feature is designed to stop the score manipulation done by the blacklisting script (Intelligence). This feature is used in the situation where we want to disable the score number manipulation done by the blacklisting script but still keep the blacklist functionality.  
Due to technical limitations, Dynamic Blacklisting will use SIP signaling IP which may be different from RTP (media) of Originator.


As an example, maybe we will notice in the future that we have incorrectly setup the blacklisting script rules and as a result we are getting some false positives into our blacklist. In this case we don't want to completely disable the blacklisting feature but just disable the blacklisting script until we have had enough time to go back to the CDR analyses and figure out the correct values that need to be defined for the correct functioning of the blacklisting script.
=Dynamic Blacklisting for specific Users=


If the Use default blacklisting rules is set to no then the MOR system should continue to add source numbers, destination numbers and source IP addresses to the blacklist database, but the blacklist script should not run and change the database values.
Dynamic Blacklisting blacklisting can be enabled globally to all Users or for specific Users only.


<br><br>
If you want to enable Dynamic Blacklisting globally, go to '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Settings''' and check '''Blacklist Feature enabled''' checkbox.
==Blacklisting Script (Intelligence) ==


'''MOR does not know anything about the script and does not care about it. This script is INDEPENDENT from MOR.'''
If you want to enable Dynamic Blacklisting for specific User, go to User’s edit page and change settings under '''Blacklisting / Whitelisting''' section:


What it will do is to try to figure out what a blacklisted call could look like. For example it could be that a customer of a customer tries to call one specific number more than 10 times a day or more than 5 times within one hour. Or there are many calls generated by one source phone number or one source IP media. It all depends on experience and assumptions and that may be different for all customers.
[[File:Dynamic bl user settings.png]]


<br>
=Dynamic Blacklisting script (advanced)=
To use default blacklisting rules you have to create your own script:


* Script can be done in any language.
Dynamic Blacklisting script allows to add numbers to Dynamic Blacklisting database based on Blacklisting rules.
* Script can be placed anywhere in the system
* It is advisable to run this script periodically with Cron
* It should analyze CDRs and make decisions based on various criteria.
* After that it should populate appropriate DB fields to put scores for various values.


<br>
Some examples of Blacklisting rules:
The script to change scores could work like this:<br>


If a destination_number was called more than DST-n1 times within DST-t1 minutes then DST-Score = DST-Score + DST-v1<br>
* Set score 100 to DST number if there are 2 or more calls during 5 minutes to the same number
If a destination_number was called more than DST-n2 times within DST-t2 hours then DST-Score = DST-Score + DST-v2<br>
* Set score 100 to DST number if there are 5 or more calls with duration lower than 30 seconds to the same number
If a source_number was calling more than SRC-n1 times within SRC-t1 minutes then SRC-Score = SRC-Score + SRC-v1<br>
* Set score 100 to DST number if there are 3 or more calls to the same number and number length is lower than 6 digits
If a source_number was calling more than SRC-n2 times within SRC-t2 hours then SRC-Score = SRC-Score + SRC-v2<br>
If a source_IP_number was calling more than SRC-IP-n1 times within SRC-IP-t1 minutes then SRC-IP-Score = SRC-IP-Score + SRC-IP-v1<br>
If a source_IP_number was calling more than SRC-IP-n2 times within SRC-IP-t2 hours then SRC-IP-Score = SRC-IP-Score + SRC-IP-v2<br>
If a source_number was calling more than SRC-n1 times within SRC-t1 minutes then DST-Score = DST-Score + DST-v1<br>
<br>
Variables like DST-n1 to SRC-IP-v2 need to be defined manually.
<br>
===Example===


If a destination_number was called more than 5 times within 60 minutes then DST-Score = DST-Score + 100<br>
These rules are defined in:
or<br>
If a source_IP_number was calling more than 40 times within 5 hours then SRC-IP-Score = SRC-IP-Score + 100<br>
or<br>
If a source_number was calling more than 1 time within 5 minutes then DST-Score = DST-Score + 50<br>


===Assign numbers to specific user===
/usr/local/mor/blacklist.conf


You can set user_id field in bl_dst_scoring, bl_src_scoring and bl_ip_scoring tables to assign blacklisted number/ip only to that user. For example:
Configuration file contains all rules with examples:


  UPDATE bl_dst_scoring SET user_id = X WHERE value = 'Y';
  ; ABOUT THIS FILE
;
; This configuration file describes blacklisting rules
; Rule types explained below
; Type: src
; Description: put a score on src, based on src number and number of calls FROM that src in a defined time period
;
; Examples:
;
; src,370123456,1,5,10
; src,*,5,60,100
;
; Examples explained:
;
; 1. If src '370123456' makes 1 or more calls during 5 minutes period, its blacklisting score will be set to 10
; 2. If any src makes 5 or more calls during 1 hour period, its blacklisting score will be set to 20
; Type: dst
; Description: put a score on dst, based on dst number and number of calls TO that dst in a defined time period
;
; Examples:
;
; dst,370,5,60,50
; dst,37621,5,60,30
; dst,*,10,10,10
;
; Examples explained:
;
; 1. If dst '37062255555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be set to 50
; 2. If dst '37062155555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be set to 30
; 3. If any dst is dialed 10 or more times during 10 minutes period, its blacklisting score will be set to 10
; Type: dstduration
; Description: put a score on dst, based on call duration to this dst number in a defined time period
;
; Examples:
;
; dstduration,370,30,5,3,45
;
; 1. If within last 5 minutes there are at least 3 calls to dst number 370xxxxxx that have duration shorter than 30 seconds, then dst number's score will be set to 45
; Type: srcduration
; Description: put a score on src, based on lowest call duration from this src number in a defined time period
;
; Examples:
;
; srcduration,*,60,1,2,45
;
; 1. If within last minute there are at least 2 calls calls from any src number that have duration shorter than 60 seconds, then src number's score will be set to 45
; Type: dstlength
; Description: put a score on dst, based on length of dst number and number of calls to this dst in a defined time period
;
; Examples:
;
; dstlength,*,6,1,5,10
;
; 1. If within last minute there are at least 5 calls to any dst number that has length shorter or equal to 6 charaters, then dst number's score will be set to 10
;
; In this case:
;
; Number 370621 will be blacklisted
; Number 3706215 will not be blacklisted
; Type: srclength
; Description: put a score on src, based on length of src number and number of calls to this dst in a defined time period
;
; Examples:
;
; srclength,*,2,5,3,30
;
; 1. If within last 5 minutes there are at least 3 calls from any src number that has length shorter or equal to 2 charaters, then src number's score will be set to 30
; To comment out a rule, use ; character before rule
; Rules start here


Here X is user_id and Y is blacklisted number.
Add your rules at the end of blacklist.conf file.


<br>
Note that examples in your configuration file might be outdated, thefore use examples from this page.
'''NOTE:'''
It is '''not possible''' to set X amount of times within X amount of '''seconds'''


It '''should be''' set X amount of times within X amount of '''minutes''' (not seconds).
This script can be enabled or disabled at any time. Check '''Enable Dynamic Blacklisting script''' checkbox in '''ADDONS''' -> '''Monitoring''' -> '''Dynamic Blacklisting''' -> '''Settings''':


Moreover, script will not block immediately. It depends on how often '''cron''' launch blacklisting script.
[[File:Dynamic bl settings enable script.png]]


Note that script does not work in realtime and blacklisted number are added to Blacklisting database within a minute or two.


If you want to create such script, please contact Kolmisoft, we will consult how to do this, will provide necessary database info and all other details.
Also, only single rule is applied to the same number at a time so order you rules by priority.


<br><br>
=Troubleshooting=


==Kolmisoft Blacklisting script with examples==
To enable verbose Dynamic Blacklisting log in /var/log/asterisk/messages, make sure that debug messages are included in /etc/asterisk/logger.conf file, for example:


Example script made by Kolmisoft is located in /usr/src/mor/x7/scripts/mor_blacklisting_script.c. To use it you need to configure blacklisting rules in /usr/local/mor/blacklist.conf<br>
messages => notice, warning, error, debug, verbose


  ; ABOUT THIS FILE
Most of Dynamic Blacklisting log messages are [DEBUG] type messages.
  ;
  ; This configuration file describes blacklisting rules
 
 
  ; Rules have the following structure:
  ;
  ; type,prefix,count,period,score
  ;
  ; type  - type of rule (src/dst/ip/dstsrc/dstduration/srcduration/srclength/dstlength/srcbldst)
  ; prefix - prefix or keyword (only for src) used to match the target (src/dst/ip)
  ; count  - how many TIMES this target can be dialed/make calls during specified period of time (in minutes), before this rule is applied
  ; period - defines the PERIOD of time (in minutes) which is used to check calls (takes all calls made within last X minutes)
  ; score  - score that will be ADDED to previous score of the target
  ;
  ; Note1: to match all the targets of the same rule type, use * symbol instead of prefix
  ; Note2: in case of dstduration and srcduration, count is time in seconds of a call
  ; Note3: in case of dstlength and srclength, count is the length of the number
  ; Note4: in case of dstsrc rule, you can you EMPTY keyword instead prefix. This allows to block dst if numbers without src are calling to this dst
  ; Note5: in case of srcbldst rule, count is blacklisting score of dst number
  ;
  ; Rule types explained
 
 
  ; Type: src
  ; Description: put a score on src, based on src number and number of calls FROM that src in a defined time period
  ;
  ; Examples:
  ;
  ; src,john,1,5,10
  ; src,1001,1,10,20
  ;
  ; Examples explained:
  ;
  ; 1. If src 'john_accountant' makes 1 or more calls during 5 minutes period, its blacklisting score will be updated by 10
  ; 2. If src '1001' makes 1 or more calls during 10 minutes period, its blacklisting score will be updated by 20
 
 
  ; Type: dst
  ; Description: put a score on dst, based on dst number and number of calls TO that dst in a defined time period
  ;
  ; Examples:
  ;
  ; dst,370,5,60,50
  ; dst,37621,5,60,30
  ; dst,*,10,10,10
  ;
  ; Examples explained:
  ;
  ; 1. If dst '37062255555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be increased by 50
  ; 2. If dst '37062155555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be increased by 30
  ; 3. If any dst is dialed 10 or more times during 10 minutes period, its blacklisting score will be increased by 10
 
 
  ; Type: ip
  ; Description: put a score on ip, based on ip address and number of calls FROM that ip address in a defined time period
  ;
  ; Examples:
  ;
  ; ip,78.35,1,15,1
  ;
  ; Examples explained:
  ;
  ; 1. If ip '78.35.45.21' makes 1 or more calls during 15 minutes period, its blacklisting score will be increased by 1
 
 
  ; Type: dstsrc
  ; Description: put a score on dst, based on src number and number of calls FROM that src in a defined time period
  ;
  ; Examples:
  ;
  ; dstsrc,anonymous,1,5,50
  ; dstsrc,EMPTY,1,5,50
  ;
  ; 1. If src 'anonymous' makes 1 or more calls during 5 minutes period, then blacklisting score will be increased by 50 TO THE NUMBER USER HAS DIALED (dst number)
  ; 2. If call with no src makes 1 or more calls during 5 minutes period, then blacklisting score will be increased by 50 TO THE NUMBER USER HAS DIALED (dst number)
 
 
  ; Type: dstduration
  ; Description: put a score on dst, based on lowest call duration to this dst number in a defined time period
  ;
  ; Examples:
  ;
  ; dstduration,370,30,5,45
  ;
  ; 1. If within last 5 minutes there are calls to dst number 370xxxxxx that have duration shorter than 30 seconds, then dst number's score will be increased by 45
 
 
  ; Type: srcduration
  ; Description: put a score on src, based on lowest call duration from this src number in a defined time period
  ;
  ; Examples:
  ;
  ; srcduration,*,60,1,45
  ;
  ; 1. If within last minute there are calls from any src number that have duration shorter than 60 seconds, then src number's score will be increased by 45
 
 
  ; Type: dstlength
  ; Description: put a score on dst, based on length of dst number and number of calls to this dst in a defined time period
  ;
  ; Examples:
  ;
  ; dstlength,*,6,1,10
  ;
  ; 1. If within last minute there are calls to any dst number that has length shorter or equal to 6 charaters, then dst number's score will be increased by 10
  ;
  ; In this case:
  ;
  ; Number 370621 will be blacklisted
  ; Number 3706215 will not be blacklisted
 
 
  ; Type: srclength
  ; Description: put a score on src, based on length of src number and number of calls to this dst in a defined time period
  ;
  ; Examples:
  ;
  ; srclength,*,2,5,30
  ;
  ; 1. If within last 5 minutes there are calls from any src number that has length shorter or equal to 2 charaters, then src number's score will be increased by 30
 
 
  ; Type: srcbldst
  ; Description: put a score on src if user calls to dst which has equal or higher score than defined
  ;
  ; Examples:
  ;
  ; srcbldst,*,60,2,30
  ;
  ; 1. If within last 2 minutes any src number made a call to dst which has blacklisting score 60 or higher, then src number's score will be increased by 30
 
 
  ; To comment out a rule, use ; character before rule
  ;
  ; Note: only one rule will be applied to the same src/dst/ip so rules should be ordered by prefix length (from longest to shortest (or *))
 
  ; Rules start here, please modify them
 
 
  src,mor,1,5,10
  src,1001,1,10,20


=See also=
If you are using Dynamic Blacklisting script, make sure that script is executed by cron. Check if /etc/cron.d/mor_blacklisting_script cron is present.


* [[Monitorings_Addon#Monitorings_Settings | Monitorings Settings]]
Log for Dynamic Blacklisting script can be found in /var/log/mor/mor_blacklisting_script.log
* [[User_Details#Blacklists | User Details]]
* [[LCR]]

Revision as of 14:13, 23 November 2016

Dynamic Blacklist functionality is based on a smart logic which puts a 'score' on the call by its Source Number, Destination Number and SIP signaling IP and allows routing calls with high score over different route.

This functionality gives you ability to define Blacklist LCR. MOR reroutes all the calls, that have a score more than a defined threshold, to this Blacklist LCR. Dynamic Blacklisting is useful when system owner wants to route 'suspect' calls through different route than 'normal' calls.

Example: calls from such countries as Nigeria, Sudan, etc. based on their IP/CallerID can be marked as 'suspects' and routed to some IVR or to the dead-end.

Dynamic Blacklisting settings

Dynamic Blacklisting settings are located in ADDONS -> Monitorings -> Dynamic Blacklisting:

Dynamic bl menu.png

How does it work

When calls comes to MOR, system tries to find score for Source Number, Destination Number and SIP signaling IP. These scores are summed into single value: 

TOTAL SCORE = DST SCORE + SRC SCORE + IP SCORE

Then total score is compared against defined Blacklisting Threshold value. If total score ir equal ir higher than Blacklisting Threshold value, system changes LCR to defined Backlisting LCR.

It is important to understand that Dynamic Blacklisting checks all three scores (DST, SRC and IP) before deciding whether call should be blacklisted (changed LCR) or not.

Threshold

Before using Dynamic Blacklisting you need to define Blacklisting Threshold values in ADDONS -> Monitoring -> Dynamic Blacklisting -> Settings:

Dynamic bl settings thresholds.png

You can use up to 3 different Threshold values but for simplicity we will use only first one.

Calculated Blacklisting total score will be compared to this value. If calculated Blacklisting total score is equal or higher than 100, User’s current LCR will be changed to Blacklisting LCR. If total score is lower than 100, User’s LCR will not be changed.

Blacklisting LCR

When calculated Blacklisting score is higher than Blacklisting Threshold, User’s LCR is changed to Blacklisting LCR.

This LCR may contain specific Providers or can be completely empty. In case of empty LCR, call will be hangup with code: 

204	No suitable providers found

How score is calculated

When call comes to MOR, Blacklisting score is calculated by finding score for SRC, DST and IP in Blacklisting database.

For example, let’s explain how score is calculated for Destination Number (DST). Source and IP score is calculated in the same way.

When new number is dialed and it is not yet in Blacklisting database, MOR tries to assign score to number by checking Blacklisting prefix database, which can de defined in ADDONS -> Monitoring -> Dynamic Blacklisting -> Destinations (DST) -> Prefix scores:

Dynamic bl prefix scores.png

For example, if someone dials 93xxxxxx, MOR assigns score 70 to this number and puts this number along with score to Blacklisting database. Next time this number is dialed, MOR will know score by looking in Blacklisting database.

What happens when score is not set for prefix? For example, if someone dials 370xxxx but Prefix scores database does not have prefix for this number, then default score will be used. You can set default score in ADDONS -> Monitoring -> Dynamic Blacklisting -> Settings:

Dynamic bl settings default scores.png

Note: numbers with default score will not be saved to Blacklisting database. System will assume that numbers that are not present in Blacklisting database have default score and use that score when calculating Blacklisting score.

Same principle is used for SRC and IP score - when call comes MOR, Dynamic Blacklisting checks if DST/SRC/IP is in Backlisting database, if not then checks if prefix exists in Blacklisting prefixes database, if not then uses default Blacklisting score.

These 3 scores are summed (DST score + SRC score + IP Score) and compared against Blacklisting Threshold value. If total score is equal or higher, then User’s LCR will be changed to Blacklisting LCR.

If you use only DST blacklisting, you may leave Default SRC and Default IP scores 0. This way it will be easier to calculate Blacklisting score (DST score + 0 + 0).

Blacklisting database

You can check already blacklisted numbers in ADDONS -> Monitoring -> Dynamic Blacklisting -> Destinations (DST):

Dynamic bl scores.png

In this page you can find, add, update or delete numbers.

If you want to import numbers to Blacklisting database, use following format in CSV file: 

number1;score
number2;score
number3;score

SIP signaling IP

Due to technical limitations, Dynamic Blacklisting will use SIP signaling IP which may be different from RTP (media) of Originator.

Dynamic Blacklisting for specific Users

Dynamic Blacklisting blacklisting can be enabled globally to all Users or for specific Users only.

If you want to enable Dynamic Blacklisting globally, go to ADDONS -> Monitoring -> Dynamic Blacklisting -> Settings and check Blacklist Feature enabled checkbox.

If you want to enable Dynamic Blacklisting for specific User, go to User’s edit page and change settings under Blacklisting / Whitelisting section:

Dynamic bl user settings.png

Dynamic Blacklisting script (advanced)

Dynamic Blacklisting script allows to add numbers to Dynamic Blacklisting database based on Blacklisting rules.

Some examples of Blacklisting rules:

  • Set score 100 to DST number if there are 2 or more calls during 5 minutes to the same number
  • Set score 100 to DST number if there are 5 or more calls with duration lower than 30 seconds to the same number
  • Set score 100 to DST number if there are 3 or more calls to the same number and number length is lower than 6 digits

These rules are defined in: 

/usr/local/mor/blacklist.conf

Configuration file contains all rules with examples: 

; ABOUT THIS FILE
;
; This configuration file describes blacklisting rules


; Rule types explained below


; Type: src
; Description: put a score on src, based on src number and number of calls FROM that src in a defined time period
;
; Examples:
;
; src,370123456,1,5,10
; src,*,5,60,100
;
; Examples explained:
;
; 1. If src '370123456' makes 1 or more calls during 5 minutes period, its blacklisting score will be set to 10
; 2. If any src makes 5 or more calls during 1 hour period, its blacklisting score will be set to 20


; Type: dst
; Description: put a score on dst, based on dst number and number of calls TO that dst in a defined time period
;
; Examples:
;
; dst,370,5,60,50
; dst,37621,5,60,30
; dst,*,10,10,10
;
; Examples explained:
;
; 1. If dst '37062255555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be set to 50
; 2. If dst '37062155555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be set to 30
; 3. If any dst is dialed 10 or more times during 10 minutes period, its blacklisting score will be set to 10


; Type: dstduration
; Description: put a score on dst, based on call duration to this dst number in a defined time period
;
; Examples:
;
; dstduration,370,30,5,3,45
;
; 1. If within last 5 minutes there are at least 3 calls to dst number 370xxxxxx that have duration shorter than 30 seconds, then dst number's score will be set to 45


; Type: srcduration
; Description: put a score on src, based on lowest call duration from this src number in a defined time period
;
; Examples:
;
; srcduration,*,60,1,2,45
;
; 1. If within last minute there are at least 2 calls calls from any src number that have duration shorter than 60 seconds, then src number's score will be set to 45


; Type: dstlength
; Description: put a score on dst, based on length of dst number and number of calls to this dst in a defined time period
;
; Examples:
;
; dstlength,*,6,1,5,10
;
; 1. If within last minute there are at least 5 calls to any dst number that has length shorter or equal to 6 charaters, then dst number's score will be set to 10
;
; In this case:
;
; Number 370621 will be blacklisted
; Number 3706215 will not be blacklisted 


; Type: srclength
; Description: put a score on src, based on length of src number and number of calls to this dst in a defined time period
;
; Examples:
;
; srclength,*,2,5,3,30
;
; 1. If within last 5 minutes there are at least 3 calls from any src number that has length shorter or equal to 2 charaters, then src number's score will be set to 30


; To comment out a rule, use ; character before rule


; Rules start here

Add your rules at the end of blacklist.conf file.

Note that examples in your configuration file might be outdated, thefore use examples from this page.

This script can be enabled or disabled at any time. Check Enable Dynamic Blacklisting script checkbox in ADDONS -> Monitoring -> Dynamic Blacklisting -> Settings:

Dynamic bl settings enable script.png

Note that script does not work in realtime and blacklisted number are added to Blacklisting database within a minute or two.

Also, only single rule is applied to the same number at a time so order you rules by priority.

Troubleshooting

To enable verbose Dynamic Blacklisting log in /var/log/asterisk/messages, make sure that debug messages are included in /etc/asterisk/logger.conf file, for example: 

messages => notice, warning, error, debug, verbose

Most of Dynamic Blacklisting log messages are [DEBUG] type messages.

If you are using Dynamic Blacklisting script, make sure that script is executed by cron. Check if /etc/cron.d/mor_blacklisting_script cron is present.

Log for Dynamic Blacklisting script can be found in /var/log/mor/mor_blacklisting_script.log

Retrieved from "https://wiki.kolmisoft.com/index.php?title=Dynamic_Blacklist_Functionality&oldid=21633"