Home Blog Securing Expressway Deployment from Spam & Toll Fraud Calls


Dec 15
Securing Expressway Deployment from Spam & Toll Fraud Calls
Posted by Freddy Tabet

If you have an Expressway Deployment in your network, whether its for Mobile & Remote Access or Business to Business calling, chances are you’re receiving hundreds of spam calls per week. To find out if you’re receiving spam calls, a simple check on your call history should reveal that.

Securing Expressway Deployment from Spam & Toll Fraud CallsSource: Cisco MRA Guide .

  • Login to your Expressway E.
  • Go To Status, Calls and Call History
  • You would see a list of calls from unknown numbers and some maybe that have your domain.
  • Similar to the below:

Securing Expressway Deployment from Spam & Toll Fraud Calls

I. Affects of Spam Calls on your Expressway Deployment

Spam calls that get through to the expressway are processed against:

  1. Transform Rules and Search rules and depending on the number of them can stay up to 90 seconds in the Expressway.
  2. If they matched a Business-to-Business Search rule, they would consume a Rich Media Session License if it exists.
  3. Spam calls if they made it to the PSTN and incur charges on you, they turn into a Toll Fraud.
  4. Spam calls fill your call history.

    II. Where do these Spam Calls Originate from?

It’s a BOT on the internet that sends out SIP invite and SIP Option Messages. It hopes to reach the PSTN and incur charges on the network. Its purpose is not to cause denial of service, but it could reach 2 to 3 calls per second. Even if you have CPL configured (explained below), BOT will still receive 403 Forbidden message, so it knows that there’s an Expressway. So it keeps trying with different calling and called patterns. The solution is to make the Expressway invisible.


III. Where should Spam calls be blocked?


  1. Firewall is the perfect place to block SPAM Calls. It blocks certain IP addresses and domain from setting up TCP connections to your Expressway.
  1. Expressway CPL: a good place to stop the SPAM call as it would prevent it from consuming processing, memory or possibly RMS license.
  2. Usage of Calling Search Spaces and Partition on the Call Manager is another place to block Spam calls but preferably we would like to block them before this point.


IV. How to Block Spam Calls?

         Three things are needed to block SPAM Calls:

  1. Configure CPL
  2. Enable Automated Intrusion Prevention System (IPS)
  3. Expressway Internal Firewall


V. Configuring CPL
  1. First step in the Default Zone set Authentication Policy to: Do not Check Credentials
    A. On Both Expressways, go to Configuration Zones Zones
    B. Click on Default SubZone and make sure Authentication Policy is: Do not Check Credentials

  2. Traversal Zone and B2B Zones: Set Authentication Policy: Treat as authenticated
    A. CPL will not run on authenticated Zones and SPAM calls are mostly routed through default zones
    B. Only Inbound Calls will be checked for CPL no need for outgoing calls

  3. CPL can be configured only on Expressway E but for added security can be done on both Expressways.

  4. Go to Configuration Call Policy Configuration
    A. Set Call Policy Mode to Local
    B. Click Save

  5. Go to Configuration Call Policy Rules
    A. Click on New
    B. Source Type
    i. Here you can select either address or zones
    ii. Address allows you to enter Source Regex or IP and not only Destination
    C. Rule Applies to: Select to unauthenticated callers

  6. Source Pattern:
    i. Optional, however, it’s a good place to configure this if you’re getting spam calls from source numbers that have your domain or expressway IP address.
    ii. 1000@lookingpoint.com or 1000@YourExpresswayIP.
    iii. Those are only supposed to originate from inside of your network
    iv. Calls from remotely registered Jabber or MRA would not come from the Default Zone, they would come from the MRA Traversal Zones and CPL rules will not apply there.
    v. To proceed with blocking SPAM calls originating from numbers that your domain or your Expressway IP address, fill the source pattern with:
  • *@yourdomain.com
  • *@yourIP.
    vi. Leave destination Pattern empty and for Action select Reject.

    E. Destination Pattern:
    i. Enter a pattern or patterns (you can create multiple rules) that summarizes your whole internal dial plan.
    ii. ie. if you’re internal number plan is 555 1XXX enter 5551\d{3}.
    iii. For action select allow.
    iv. If you’re creating a destination pattern that includes SIP URI, go for *.@yourdomain.com.

    7. After you finish creating Destination Patterns for all your internal dial plan and blocking calls originating from numbers@yourdomain.com and numbers@yourExpresswayIP, create a rule that blocks *.*. This will block everything that is not included in the above rules.

    8. CPL will now block Spam calls and with 403 Forbidden and will populate or be shown in the Call Logs.


Automated Detection

What automated detection does, is that it searches the call logs for a configured window of time, and when it sees a specific number of 403 forbidden messages that have been generated by the CPL, it will add that source IP address to the internal Expressway Firewall to block it. Thus, making the Expressway invisible to the BOT generating SIP Option and Invite Messages.

  1. On the Expressway go to System  Protection Automated Detection à Configuration
  2. Click on SIP authentication failure
  3. For state select On
  4. Enter any description
  5. Detection window: How Long should I count forbidden messages before resetting the count, default is 600 seconds, better to go with 3600 seconds or an hour. The longer the detection window the larger the IP addresses that can get blocked which might include a number of false positives
  6. Trigger Level: How many forbidden messages should I count per Detection Window (i.e. 1 hour), before I add this source IP address to the list of Blocked IP sources. 3 is a good number.
  7. Block Duration: How long should I keep blocking that IP address. 10,000 seconds, approximately 12 days would be a good number.
  8. So if a single Source IP address generates 3 forbidden messages in one hour, that IP address will be blocked by the Expressway’s Internal Firewall.


Expressway Internal Firewall

It is recommended to always check the list of Blocked IP address for a false positive, especially in the first days of implementation. For whatever reasons, you maybe blocking a legit IP address.    

  1. On the Expressway, go to System Protection Firewall Rules Current Active Rules
  2. You will see the list of IP addresses that have been blocked.
  3. Those lists are temporary and will expire when the time left is up.
  4. Some source IP addresses will be blocked on one node and not the other.
  5. If the Expressway was rebooted, all blocked IP addresses will be removed.
  6. If you find a source IP address that shouldn’t be blocked, you can unblock and exempt.
  7. Exempted IP addresses are permanent and do not expire or removed after reboot.
  8. Blocked IP addresses are not allowed to setup a TCP connection to the Expressway, thus preventing Spam calls from consuming any type of resources


Final Note

There are further ways to increase security, exporting the list of blocked IP addresses to the external firewall is one of the best.

It’s always a good idea to keep your expressway running on the latest version as well.

For whatever features you wish to deploy, always consult or research cisco documentation first.


As always if you have any questions on securing expressway deployment from Spam & Toll Fraud Calls and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!

Contact Us

Written By:

Freddy Tabet, Network Engineer

subscribe to our blog

Get New Unique Posts