This article is for internal technical reference and training. End-users requiring support are encouraged to reach out to customer support at support@gazelletel.com.
It can be annoying when an end-user gets "ghost" calls, where the phone rings and there is nobody on the other side.
The answer is usually that the customer has become a victim of SPIT (yes, SPIT a.k.a Spam over Internet Telephony). In the VoIP world, SPIT is pretty common. Nefarious types looking to commit toll fraud will probe random IP addresses with a SIP dialer looking for a reply to a SIP INVITE. When they find one, they will try to break into the web UI of the phone to setup call forwarding to expensive destinations. When configured with default settings, most SIP phones will send a response to any INVITE they receive. This has the unfortunate effect of alerting the hackers to the presence of a SIP end-point and, annoyingly for the user, ringing the phone.
Unfortunately, incidences of this behavior have become more common since the release of the SIP scanning tool called SIP Vicious. To confirm that your end user is being scanned, check the PBX call history. If there are no call history logs on the switch, then you can be relatively certain that the calls are originating from a scanner.
Remediation Options
Change the SIP Listening Port
Since most SIP scanners focus on sending SIP INVITE messages to port 5060, one way to avoid these calls is to change the SIP listening port of the phones. This can be done with overrides. This method will not work if the scanner is walking every port.
#e.g. account.1.sip_listen_port="5070" Yealink: sip.listen_port="(port)" Grandstream: p40="port"
Block SIP Packets at the Firewall
Another option is to create a firewall rule that blocks all inbound SIP packets except those that originate from the SIP server's IP addresses.
Disable IP Calls
Some devices allow you to disable IP Calls (ie. you can force the phone to only accept inbound calls from the server it is registered to). Sample override settings are below.
#Polycom voIpProt.SIP.requestValidation.1.method="source" voIpProt.SIP.requestValidation.1.request="INVITE" #Yealink V73 Firmware and Below features.direct_ip_call_enable="0" account.1.sip_trust_ctrl="1" #Yealink V80 Firmware Plus features.direct_ip_call_enable="0" sip.trust_ctrl="1
Grandstream phones
In the Grandstream phones, you can deploy a couple of features to help block "anonymous" callers as well.
Check SIP User ID for Incoming Invite ( option ) Accept Incoming SIP from Proxy Only ( option ) Anonymous call rejection ( option )
Snom M100 KLE
The following forces the Snom M100 KLE to only accept traffic from the registered server.
trusted_servers.only_accept_sip_account_servers="1"