Its a common issue with the internet facing VCS servers, if you google or search across the forum you will find a lot of similar discussions.

I believe you may be able to use CPL rules or policies to block. (that's what TAC suggested me)

Blocking ip addresses etc. doesnt help as that can keep on changing.

-Terry

Please rate all helpful posts

This is a very well known issue, you can start with this thread;

https://supportforums.cisco.com/discussion/12917996/sip-spam-call-attack-and-mcu-and-vcs-e

SIP UDP should be turned off on your VCS-E, and Cisco has for a while now, had it turned off by default.

As far as the H.323 version goes, these can be defeated by using CPL.

Searching this forum for spam calls will give you quite a few results. :)

/jens

Please rate replies and mark question(s) as "answered" if applicable.

As the others have said, this issue is because you're devices are reachable on the public internet and are being scanned by SIP scanners for the purpose of toll fraud.

If your VCS has been installed for sometime, it might still have SIP UDP enabled under Configuration > Protocols > SIP, on newer deployments since X7.x this has been disabled by default.  If it is enabled, suggest you disable it, this will prevent most if not all of these types of calls that use SIP UDP.

Recently over the past few years, some have started to try and make toll fraud attempts via H323, but to prevent these attempts, you'll need to use a CPL script on the VCS as there isn't anything you can simply disable without disabling H323 entirely.  If you need help creating a CPL script, we can do that, but we'd need to see the search history so we can create the CPL to match the incoming/destination addresses.

For now, simply disable SIP UDP and see if the attempts stop, if they do not or SIP UDP is already disabled, we can try using a CPL script.