Description

Blacklist functionality is part of Monitorings add-on.

Blacklist functionality Dynamic Routing is based on a smart logic which puts a 'score' on the call by its SRC, DST or SIP signaling IP and allows routing calls with high score over different route. This functionality gives you an ability to define LCR as Blacklist Providers group. These Providers work like any other Provider in MOR system. MOR reroutes all the calls, that have a score more than a defined threshold, to this Blacklist LCR.

This functionality is useful when system owner wants to route 'suspect' calls through different route than 'normal' calls.

Example: calls from such countries as Nigeria, Sudan, etc. based on their IP/CallerID can be marked as 'suspects' and routed to some IVR or to the dead-end.

Configuration

You can manage

• Single User settings in User Details
• Global settings in ADDONS –> Monitorings –> Settings

Blacklist Feature enabled – enables Blacklists functionality in all system.

Threshold #1 - #3 – sum of SRC, DST and SIP signaling IP limit. If SRC, DST or SIP signaling IP scores sum, received during the call, is bigger than particular Threshold, call will be routed through selected LCR.

Threshold #1 must be lower than Threshold #2, Threshold #2 must be lower than Threshold #3. 0 stand for Disabled Threshold.

LCR – LCR with Balcklist Providers. First one will be used when SRC, DST it IP scores sum will be between Threshold #1 and Threshold #2. Second LCR will be used when SRC, DST it IP scores sum will be between Threshold #2 and Threshold #3. And third LCR will be used when SRC, DST it IP scores sum will be higher than Threshold #3.

Default scores – Default scores of SRC, DST or SIP signaling IP. There will be cases where MOR will not find a score for a given SRC, DST or SIP signaling IP. In each of the cases MOR will add the missing values from these settings.

Use default blacklisting rules – check this to use Blacklisting Script for SRC, DST or SIP signaling IP scoring.

This feature is designed to stop the score manipulation done by the blacklisting script (Intelligence). This feature is used in the situation where we want to disable the score number manipulation done by the blacklisting script but still keep the blacklist functionality.

As an example, maybe we will notice in the future that we have incorrectly setup the blacklisting script rules and as a result we are getting some false positives into our blacklist. In this case we don't want to completely disable the blacklisting feature but just disable the blacklisting script until we have had enough time to go back to the CDR analyses and figure out the correct values that need to be defined for the correct functioning of the blacklisting script.

If the Use default blacklisting rules is set to no then the MOR system should continue to add source numbers, destination numbers and source IP addresses to the blacklist database, but the blacklist script should not run and change the database values.

Blacklisting Script (Intelligence)

MOR does not know anything about the script and does not care about it. This script is INDEPENDENT from MOR.

What it will do is to try to figure out what a blacklisted call could look like. For example it could be that a customer of a customer tries to call one specific number more than 10 times a day or more than 5 times within one hour. Or there are many calls generated by one source phone number or one source IP media. It all depends on experience and assumptions and that may be different for all customers.

To use default blacklisting rules you have to create your own script:

• Script can be done in any language.
• Script can be placed anywhere in the system
• It is advisable to run this script periodically with Cron
• It should analyze CDRs and make decisions based on various criteria.
• After that it should populate appropriate DB fields to put scores for various values.

The script to change scores could work like this:

If a destination_number was called more than DST-n1 times within DST-t1 minutes then DST-Score = DST-Score + DST-v1
If a destination_number was called more than DST-n2 times within DST-t2 hours then DST-Score = DST-Score + DST-v2
If a source_number was calling more than SRC-n1 times within SRC-t1 minutes then SRC-Score = SRC-Score + SRC-v1
If a source_number was calling more than SRC-n2 times within SRC-t2 hours then SRC-Score = SRC-Score + SRC-v2
If a source_IP_number was calling more than SRC-IP-n1 times within SRC-IP-t1 minutes then SRC-IP-Score = SRC-IP-Score + SRC-IP-v1
If a source_IP_number was calling more than SRC-IP-n2 times within SRC-IP-t2 hours then SRC-IP-Score = SRC-IP-Score + SRC-IP-v2
If a source_number was calling more than SRC-n1 times within SRC-t1 minutes then DST-Score = DST-Score + DST-v1

Variables like DST-n1 to SRC-IP-v2 need to be defined manually.

Example

If a destination_number was called more than 5 times within 60 minutes then DST-Score = DST-Score + 100
or
If a source_IP_number was calling more than 40 times within 5 hours then SRC-IP-Score = SRC-IP-Score + 100
or
If a source_number was calling more than 1 time within 5 minutes then DST-Score = DST-Score + 50

NOTE: It is not possible to set X amount of times within X amount of seconds

It should be set X amount of times within X amount of minutes (not seconds).

Moreover, script will not block immediately. It depends on how often cron launch blacklisting script.

If you want to create such script, please contact Kolmisoft, we will consult how to do this, will provide necessary database info and all other details.

Blacklisting configuration file with examples

 ; ABOUT THIS FILE
 ;
 ; This configuration file describes blacklisting rules
 
 
 ; Rules have the following structure: 
 ;
 ; type,prefix,count,period,score
 ;
 ; type   - type of rule (src/dst/ip/dstsrc/dstduration/srcduration/srclength/dstlength/srcbldst)
 ; prefix - prefix or keyword (only for src) used to match the target (src/dst/ip)
 ; count  - how many TIMES this target can be dialed/make calls during specified period of time (in minutes), before this rule is applied
 ; period - defines the PERIOD of time (in minutes) which is used to check calls (takes all calls made within last X minutes)
 ; score  - score that will be ADDED to previous score of the target
 ;
 ; Note1: to match all the targets of the same rule type, use * symbol instead of prefix
 ; Note2: in case of dstduration and srcduration, count is time in seconds of a call
 ; Note3: in case of dstlength and srclength, count is the length of the number
 ; Note4: in case of dstsrc rule, you can you EMPTY keyword instead prefix. This allows to block dst if numbers without src are calling to this dst
 ; Note5: in case of srcbldst rule, count is blacklisting score of dst number
 ;
 ; Rule types explained
 
 
 ; Type: src
 ; Description: put a score on src, based on src number and number of calls FROM that src in a defined time period
 ;
 ; Examples:
 ;
 ; src,mor,1,5,10
 ; src,1001,1,10,20
 ;
 ; Examples explained:
 ;
 ; 1. If src 'accountant_mor_25' makes 1 or more calls during 5 minutes period, its blacklisting score will be updated by 10
 ; 2. If src '1001' makes 1 or more calls during 10 minutes period, its blacklisting score will be updated by 20
 
 
 ; Type: dst
 ; Description: put a score on dst, based on dst number and number of calls TO that dst in a defined time period
 ;
 ; Examples:
 ;
 ; dst,370,5,60,50
 ; dst,37621,5,60,30
 ; dst,*,10,10,10
 ;
 ; Examples explained:
 ;
 ; 1. If dst '37062255555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be increased by 50
 ; 2. If dst '37062155555' is dialed 5 or more times during 60 minutes period, its blacklisting score will be increased by 30
 ; 3. If any dst is dialed 10 or more times during 10 minutes period, its blacklisting score will be increased by 10
 
 
 ; Type: ip
 ; Description: put a score on ip, based on ip address and number of calls FROM that ip address in a defined time period
 ;
 ; Examples:
 ;
 ; ip,78.35,1,15,1
 ;
 ; Examples explained:
 ;
 ; 1. If ip '78.35.45.21' makes 1 or more calls during 15 minutes period, its blacklisting score will be increased by 1
 
 
 ; Type: dstsrc
 ; Description: put a score on dst, based on src number and number of calls FROM that src in a defined time period
 ;
 ; Examples:
 ;
 ; dstsrc,anonymous,1,5,50
 ; dstsrc,EMPTY,1,5,50
 ; 
 ; 1. If src 'anonymous' makes 1 or more calls during 5 minutes period, then blacklisting score will be increased by 50 TO THE NUMBER USER HAS DIALED (dst number)
 ; 2. If call with no src makes 1 or more calls during 5 minutes period, then blacklisting score will be increased by 50 TO THE NUMBER USER HAS DIALED (dst number)
 
 
 ; Type: dstduration
 ; Description: put a score on dst, based on lowest call duration to this dst number in a defined time period
 ;
 ; Examples:
 ;
 ; dstduration,370,30,5,45
 ; 
 ; 1. If within last 5 minutes there are calls to dst number 370xxxxxx that have duration shorter than 30 seconds, then dst number's score will be increased by 45
 
 
 ; Type: srcduration
 ; Description: put a score on src, based on lowest call duration from this src number in a defined time period
 ;
 ; Examples:
 ;
 ; srcduration,*,60,1,45
 ; 
 ; 1. If within last minute there are calls from any src number that have duration shorter than 60 seconds, then src number's score will be increased by 45
 
 
 ; Type: dstlength
 ; Description: put a score on dst, based on length of dst number and number of calls to this dst in a defined time period
 ;
 ; Examples:
 ;
 ; dstlength,*,6,1,10
 ; 
 ; 1. If within last minute there are calls to any dst number that has length shorter or equal to 6 charaters, then dst number's score will be increased by 10
 ;
 ; In this case:
 ;
 ; Number 370621 will be blacklisted
 ; Number 3706215 will not be blacklisted
 
 
 ; Type: srclength
 ; Description: put a score on src, based on length of src number and number of calls to this dst in a defined time period
 ;
 ; Examples:
 ;
 ; srclength,*,2,5,30
 ; 
 ; 1. If within last 5 minutes there are calls from any src number that has length shorter or equal to 2 charaters, then src number's score will be increased by 30
 
 
 ; Type: srcbldst
 ; Description: put a score on src if user calls to dst which has equal or higher score than defined
 ;
 ; Examples:
 ;
 ; srcbldst,*,60,2,30
 ;
 ; 1. If within last 2 minutes any src number made a call to dst which has blacklisting score 60 or higher, then src number's score will be increased by 30
 
 
 ; To comment out a rule, use ; character before rule
 ;
 ; Note: only one rule will be applied to the same src/dst/ip so rules should be ordered by prefix length (from longest to shortest (or *))
 
 ; Rules start here, please modify them
 
 
 src,mor,1,5,10
 src,1001,1,10,20

See also

• Monitorings Settings
• User Details
• LCR