Forwarded Calls Blacklist

In the Forwarded Called Numbers and Countries pages, forwarded calls by called numbers or destination countries can be whitelisted or blacklisted.

Call forwarding fraud can occur when a subscriber has the capability to enable international call forwarding on their line by configuring their settings within a CommPortal. If a hacker can successfully obtain the password for the subscriber’s CommPortal account, then they can enable call forwarding to a high-cost international number. The hacker can make a large volume of calls to the subscriber’s line, which will then be forwarded to the international number. ClearIP’s forwarded call blacklists can protect against this vulnerability if subscribers have the capability to enable international call forwarding but do not typically forward calls to international destinations.

Forwarded calls are still monitored by ClearIP’s general Whitelist/Blacklist pages such as the Whitelist/Blacklist Called Countries page. The forwarded blacklists are an optional tool that can be used if the blacklisting rules should be more restrictive for forwarded calls than the blacklisting rules for general calls. If no forwarded blacklist rules are created, then ClearIP applies the general blacklist rules for all non-forwarded and forwarded calls.

Diversion Header

ClearIP determines if a call has been forwarded by seeing whether there is a Diversion header in the SIP INVITE. These features can be useful for preventing calls from being forwarded to international or high-cost destinations.

Here is an example SIP Invite with a Diversion header.

INVITE sip:+18554742536@sip.clearip.com:5060 SIP/2.0
Via: SIP/2.0/TCP sip.clearip.com:5060
From: <sip:+14045266060@transnexus.com:5060>
To: <sip:+18554742536@sip.clearip.com:5060>
Diversion: <sip:+14045266061@10.50.65.10:5060>;reason=unconditional
Call-ID: 123456
CSeq: 1 INVITE
Content-Length: 0

In the example, a call is originally made from 1-404-526-6060 (From header) to the subscriber’s number 1-404-526-6060 (Diversion header). The subscriber has enabled external call forwarding to number 1-855-474-2536 (To header). ClearIP sees the outbound call leg where the call is forwarded from 1-404-526-6061 to 1-855-474-2536. The number 1-404-526-6061 in the Diversion header, after number translation rules is used to populate the Translated Calling Number field which is used for blacklisting and fraud trigger rules. The original calling number 1-404-526-6060 in the From header is used to populate the Asserted Calling Number field.

If the call contains a Diversion header in the SIP INVITE, the Forwarded field in the SIP Messages page will be set to Yes. Otherwise, this field will be set to No.

Example Forwarded Blacklist

ClearIP can prevent fraud attacks where calls are forwarded to various international countries. In the below example, all calls received by ClearIP that have a diversion header pointing to a country that is not the US or Canada are immediately blocked.

Build SIP Reports to Check where Calls are Forwarded

Before creating country level forwarded blacklists, the SIP Reports can be checked to review which countries calls have been forwarded to. The called countries list can be compared with the complete list of countries recognized by ClearIP to build a Called Country forwarded blacklist.

On the SIP Reports page under the Analytics dropdown menu, the default report will display how many calls have been sent to different countries in the past hour. The SIP Report can be modified by selecting a longer date range (up to 1 year) and adding a filter with the Filter By set to Forwarded, Filter Type set to Equals and Filter Value set to Yes.

This SIP Report can be used to check whether forwarded calls are sent to international destinations. If many calls are forwarded internationally, it might not be preferrable to implement restrictive blacklists on forwarded calls.

If forwarded calls are not often made to international destinations, it might be advantageous to implement forwarded blacklists.