atcomsystems.ca/forum Forums TDM Business Telephone Systems NEC Telephones & Systems Need to solve mystery....

I contacted my carrier (PaeTec) and they told me that the calls are not originating from my network?

PaeTec is owned by Windstream. One of our customers has a PRI from Windsteam, they were notified by them there were international calls made from their in house equipment(SV8100)We enabled SMDR, records showed no international calls from the 8100. Windstream said there was no way hackers got into their network blah blah blah, but did say the software on their router was outdated, they did a upgrade and afterwards no more international calls. They still say the problem was with our customers equipment.

Just saying, don't rule them out.

I was hoping to get further with PaeTec (Windstream) - in less than twenty four hours they came back with the following message:

We do not see these calls in records, which would support the conclusion that these are not originating from your location. Unfortunately, the repair center is not able to assist further in this matter, since the calls are not present on our network. You may wish to engage our fraud team or your local law enforcement if you continue to receive reports of this line calling 911. The calls are not originating from your site, or anywhere on our network.

First, I am going to look into the voicemail suggestion (Thanks). I now know the location (extensions) that ring to the number the authorities provided. Fortunately, the intervals have been approximately a week apart (at random times). Yes, if I have to get someone out here, I have no problem. I just did not want someone wondering all over our campus and than stating that there is no problem...I have been down that road before.

Again, Thank You everyone for your input!

It is pretty pointless checking the Voicemail as PaeTec have already told you the calls are not originating from your site or even within their network.

I would suggest someone is spoofing the number from a SIP service so you would need to get the authorities involved.

In the meantime, if you don't use the number for outbound calls, have PaeTec bar all outgoing on that number and see if the calls continue.

I just thought I would share…hopefully, the outcome helps someone else.

Well, I spent all morning on the issue. I first called our carrier. Sorry, but from a network administrator's perspective, I would be responsible for resolving any malicious use of my data network.

Anyway, I contacted the Fraud Department for Windstream (My Carrier). I discovered that the only way I was going receive assistance is if;

I have a court order or I have a known solicitor / debt collector that is harassing us?

Being that we are originating the calls to 911...they will be no help. The attendant told me to contact my local authorities. Hence, I called the authorities only to be told; Have your carrier send someone out - we know that calls are coming from you because we have verified the number. "Spoofing or no spoofing, you need to resolve it." There I totally agree.

But there is no way for you to resolve it, you have been informed by your carrier that calls are not originating from your site and not even from within their network.

What else are you supposed to do? it is not in your control and not in your service providers control. Irrespective of what they have verified (I would be asking them how they have verified it) if someone is spoofing your number, how do they expect you to track the culprit down?

Even you are saying that you are originating the calls when your carrier says you aren't. It's one thing to look for a needle in a haystack but when you have been told that the needle isn't even in there it is pretty pointless.

Thinking outside the box, there's a published number and an ANI number that can be assigned to a PRI. Try having the carrier change the 911 number away from the published number, but keep the published number in the 911 database. Now when calls come in, you will know if someone is spoofing the ANI or it's really coming from your site.

Just a thought.

Carl

what you need to do here is to document everything.

I'm not a lawyer: I'm a phone guy. So this isn't advice, it's just two guys talking.

Make a file with a written, yes, written copy of the information from your carrier, stating that the problem originates offsite. in that file, put all the data you've gotten from the authorities who are reporting the 911 calls to you. Document everything you've done to track this down. Dates, times, who you talked to, what they said, every piece of paper, your scratch-paper notes, everything: It goes into that folder.

Why? For CYA. In the event that the authorities start charging you for false 911 calls, you need to be able to document what you've done to fix the problem. If you get sued for some reason, God forbid, you need to cover your butt by showing you've done everything that a reasonable person would do.

Next, do what BrokeDA told you to do: Hire a licensed NEC tech. SMDR output is a feature of the Elite. A licensed NEC tech can connect a printer so that you get raw SMDR.

I know, when you first saw SMDR in this thread, you googled it and learned all about Call Accounting systems, and you said to yourself, "We don't have that and we don't want it." That's fine, you can read the raw SMDR. It's not rocket science, and the Certified NEC tech can show you how to read it.

Why do you need it? Again, to CYA. The SMDR proves that the call did or did not start at one of your extensions. Without it, if you wind up in court, the first question you will be asked is, "Where's your SMDR output?" to which your answer will be, "Um..."

Get the Certified Tech to set up SMDR. Period.

But but but but a tech costs money. Yes, but one or two hours of tech time costs LESS than the fees for repeated 911 calls. So bite the bullet and do it.

If you get another incident, AND the SMDR says it did not happen on your site, you can show the authorities and you now have proof.

If you get an incident and it DID happen on your site, you will know what extension, when, and what they dialed. For example, suppose you have a series of calls around 2 AM, from extension 202, that look like this:

1:58 90
1:59 911
1:59 901144255551111
2:23 901144255552222

Then your janitor is calling his Momma in London at night. And he's fat-fingering the 9011 for international, which is why you're getting 911 calls.

And if that's going on, you want to know, for several reasons. Or maybe SMDR will tell you

1:58 111
1:59 111111
2:02 111 11 1

or something like that. So then you know that the extension is getting shorted and simulating pulse dialing. And for liability reasons, most PBXes are set up to read 9+11 as 911, so 11 may also outpulse as 911.

And there's the smoking gun.

So:
1. Document everything, and
2. Get a certified NEC tech out to set up SMDR.

If you can't find one, say where in CA you are, and someone here can refer someone.

I had a similar issue with an fax (clearly marked DO NOT DIAL A 9) when the users were faxing over sea. I got so fed up I posted a note next to fax. "The 911 Command Center has alerted us to continued calls from this fax machine. If it continues a fine will be issued. The company has decided that the fine will be deducted from the end users pay."

You would be surprise how fast they learn how to dial.... just saying

How Important is the actual Phone number?

If its a Rollover or not often called you can have windstream change the number.
You may be able to get it as a Remote Call Forwarded in number, to the new number. That way the number no longer originates from the site.

My wife's company uses Windstream. Hackers were able to take over the Windstream Adtran after hours and make calls across the globe. They have an ancient Nortel that doesn't even have a modem on it. It took Windstream weeks to figure out how it was happening while they continued to claim the PBX was hacked.