Did anyone else notice any problems with Comdial's latest bulletin regarding toll fraud in VM? Some of the instructions didn't quite seem correct. I emailed Comdial Tech Support about it, but have received no response, and the bulletin is still there, as-is. Maybe it's just me...

5Y&C:
I just took a look at it and didn't see anything odd. What is it that you found to be "not correct"? Maybe it's me--not you...

The part where it tells you to turn on outdial allowed in class of service. I can understand turning it on on the Line Information screen, but not in class of service. Doing so in class of service would allow a user (or malicious intruder) to log into a mailbox, press zero to make an outbound call, then dial the number and away they go. That kind of goes against the concept of preventing toll fraud. What it sounded like to me was that they meant to instruct you to turn it on on the Line Info screen, as this would be required for notification. Am I off base here, based on their instructions?

5Y&C:

Here is what they say:
******************
5. COS Create #1 and verify ‘Out Dial Allowed’ is set to “NO.”
6. Change the prototype mailbox to use COS 1.
7. Create COS #2 and set ‘Out Dial Allowed’ to “Yes” for those mailboxes that will need to use message delivery.
******************
# 5 allows NOo mailbox that is COS 1 to grab a line & dial out for any reason
# 7 allows COS 2 to outdial--this COS would only be for those who have pagers etc.

As far as I know (and I may be wrong here)--the "Outdial" option in Line Setup allows what ports are to be used for MW notification and outdialing---in otherwords which ports do you want to have the capability of doing that.

I think that they are saying that doing "outdials" from the mailbox is a weak security issue, possibly---but the other points that they mention, make the mailboxes more secure (passwords etc.) I think the term "message delivery" is somewhat misleading and should be "pager notification" or something like that.

Does this make any sense??

What I am saying is that "outdial allowed" in class of service is not required for message notification (message delivery to cell phone) or pager notification. It would only be required in the Line Info screen. That is why I am calling this incorrect. The way I am reading the bulletin, they are actually opening up more of a vulnerability. We always keep outdial allowed disabled in class of service, specifically for the purpose of preventing toll fraud. on every system with this disabled, we still have functional message and pager notification, because there are ports enabled for outdial in the Line Info screen.

OK...I stand corrected. I had always thought that you had to allow the MB to outdial for pager notification. I'll have to read the manuals again on this. It says--"This field indicates whether the owner of a mailbox belonging to this class of service is allowed to place outgoing calls from the mailbox." I had always read "outgoing calls" to mean "outgoing page notification" If you are getting pager notification without that being allowed, then it must be for something else. So, again, the "Message Delivery" phrase seems to be somewhat hazy in my mind. Let's see if JWooten, CMDLGuy, BigDog, markk, Tip or some of the others can shed some light on this. My head is starting to hurt.

According to section 7-18 of the manual this setting only effects the mailboxs user's ability to dial "0" from their mailbox's main menu to access a three-way cal trabsfer out of the mail box and does't effect the ability to exterbal notification or transfer the caller to an external number from the box.

Kerry

I just set mine up to call through by allowing it in COS. When I get to the mailbox and hit zero it asks for the number to transfer to, I put it in, and keylink says it's doing a 3 way call, but it never establishes a connection. It seems to put me on hold but it doesn't seize a line and dial. There must be some other required parameter. Appears this setting doesn't allow toll fraud.
mark

Mark,

I m not sure but I think that three way call transfer needs Centrex services on the trunk to work. Look at Sequence to Transfer Three way call and it should give you an idea.

Kerry

kerry,
centrex or 3 way calling on the line, and I have 3 way calling on the lines. I don't care to use it, I just wanted to see the senario in the thread. If I have to get out the manual, somebody has to get billed.
mark

Yeah, Mark, If its not working in default, I wouldn't chase it any farther either. But it kind begs the question why Comdial put a bulletin out on it, CYA? I haven't read the bulletin, (was with a Comdial dealer 10 yrs and now out own my own and not associated with Comdial anymore). Curious, are you on a DX-80 or something else.

Kerry

yeah, a dx80 with a 4 port flash - A33 and the latest VM, but until a customer wants to do this, I really don't care about it.
mark

Well, the reason I was concerned about it is because right around the time the bulletin was released, I was working on locking down a system that was actively getting hit with toll fraud. So I was taking every precaution, looking for any potential backdoor that could be exploited. This was one I found as being a possibility, so I was just surprised to see Comdial telling dealers to turn it on.

The main reason that they want you to change the class of service for the prototype mailbox is that the default supervisors mailbox and password is out in the relalm of the hackers. By changing that to a COS that does not allow out dialing is so that the hackers who get in via the supervisors box and create a mailbox and use call transfer functions to output strings of numbers to dial out and call a international number that winds up going back to them and they get money for the calls.

Its always a good idea to change the default passwords and logins.

DJ

I have had hackers into a voicemail or two, good words to take in. Changing passwords, especially the supervisors mailbox.

Hello, we had an incident of suspected toll fraud with one of our MP5000/FXII client over the weekend. Can someone guide me through making sure the phone system/vmail are secured from fraud other than changing the supervisor's vmail password to more longer and secured password which we've done in the past.

Thanks for your time.

Pretty old post Sonny buy you need to make sure your vm ports can not dial out. Also disable conf calling in the mailboxes. Changing the passwords is your first defense. Both the mailboxes and the super.