[OpenSIPS-Users] Fraud Detection Module - Double Counting Calls?

Jonathan Mabrito mabritoj at gmail.com
Wed Jan 8 11:27:58 EST 2020 

Good Day All,

We implemented the Fraud Detection module for our 2.3.6 setup in the
spring. Works great, but I noticed something off with it last month that I
cannot figure out. We started getting alerts about sequential calls that do
not add up and match the CDR data from the accounting module. I do not want
to post the CDR data, so hopefully descriptions are fine. Based on our set
thresholds, I started getting alerts from the fraud triggered warnings (Use
RabbitMQ to receive the messages and translate those messages into emails):

  E_FRD_WARNING

param::total calls

value::12

threshold::10

user::18662710573

called_number::99011966560690444

rule_id::73


The alert in that example said there were 12 sequential calls, but the CDR
data only shows 6 sequential calls.  I started noticing this been the trend
for other sequential patterns as well and verified this live by making a
call and checking the stats with the "show_fraud_stats" command. If I place
one call, the show command shows 2.


I only check for fraud on the outbound side and this is my script snippet
for outbound calls:


#Check Blacklist
xlog("Checking global blacklist \n");
if (!check_blacklist("global_blacklist"))
{
send_reply("403", "Blacklisted");
exit;
}

#Check for Fraud
xlog("Checking for fraud \n");
check_fraud("$fU", "$rU", "1");

xlog("Call is an outbound call\n");
xlog("Before DialPlan Normalization: $ru \n");

if(dp_translate("0", "$rU/$rU")){
xlog("SIP URI Normalized to $ru \n");

#Find the best route in Dynamic Rule Table for Set 0
if(!do_routing("0")){
xlog("No route found for $ru in routing group 0 \n\n");
send_reply("404", "No route found");
exit;
}


//Ommited some other stuff


t_relay();
exit;


I am not sure if this is just sequential issue or if CPM, etc are affected
as well. Trying to determine that still.

Any idea on this?
-- 
- Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200108/9e45e80f/attachment-0001.html>

More information about the Users mailing list