Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
477
Views
0
Helpful
4
Replies

Expressway spam calls with an ip address

Go to solution
extremum
Level 1
Level 1

ā€Ž11-16-2022 12:52 AM

Hi Guys ,

There ara a lot of spam calls coming to expressway-e , we have already configured an CPL to block these calls thus they are blocking , but some calls are hitting our internal device like as source is an ip x.x.x.x and the destination is our device 1234@ourdoimain.com , we added new rules to block x.x.x.x it works but now they are coming as x.x.x.y , btw all of these calls are sip calls. My question is , is there any way to create CPL rule to block all incoming calls if source is just an ip ? Or if it is possible we want to block the subnet like as x.x.x.x/24  .

Our CPL is like as below ;

 

<taa:rule unauthenticated-origin="x.x.x.x" destination=".*">
<reject status="403" reason="Denied by policy"/>
</taa:rule>

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

ā€Ž11-16-2022 02:52 AM

Both are possible; you just need to build the RegEx pattern. Example: (.+@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}((:|;).*)?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

ā€Ž11-16-2022 02:52 AM

Both are possible; you just need to build the RegEx pattern. Example: (.+@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}((:|;).*)?

0 Helpful

Go to solution
extremum
Level 1
Level 1
In response to Jonathan Schulenberg

ā€Ž11-16-2022 03:13 AM

Hello Jonathan ,

thanks for your advice , i think  d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}((:|;).*)? is works for me because i do not want to block something@x.x.x.x  just want to block x.x.x.x , when i check the pattern on exp i see that " IP address aliases are not supported for pattern matching " it does not mean this pattern does not work with CPL , right ?

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to extremum

ā€Ž11-16-2022 06:29 AM

AFAIK, CPLs do not act upon direct IP calls, as that error message indicates. Unless you have defined a Fallback Alias (Configuration > Dial Plan > Configuration)  Expressway-E will just drop those call attempts though. Setting a Fallback Alias is rarely a good idea, IMO. The only time I have seen it used is with an MCU video IVR: legacy hardware only capable of a direct IP call would be connected to the MCU to enter a meeting ID they wanted to join.

0 Helpful

Go to solution
extremum
Level 1
Level 1
In response to Jonathan Schulenberg

ā€Ž11-16-2022 06:59 AM

Calls are coming as source as like below ;

Alias (1)
Type: Url
Origin: Unknown
Value: 1.2.3.4
So ı created a rule like as below ; and i block "1.2.3.4" but it is not enough because they will try call  as 1.2.3.5 later ...

<taa:rule unauthenticated-origin="1.2.3.4" destination=".*">
<reject status="403" reason="Denied by policy"/>
</taa:rule>

AFAIK Fallback Alies configuration is just for the destination  , if someone call us with just our domain we can forward these calls to alias@domain .

0 Helpful
Customers Also Viewed These Support Documents