Jump to content

- - - - -

Question about phone reports and ANI's.


  • Please log in to reply
2 replies to this topic

#1 bpocock


    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 09 April 2014 - 10:29 AM

This is a little out of my depth but I work in reporting and this kind of fell in my lap.

We have a SQL database where logs of all incoming phone calls are dumped. It's a fairly large call center that handles ~100k calls per year. Pretty basic tables such as date of call, DNIS, ANI, etc.

One of our partners had projected a much higher volume of calls and because we haven't seen much activity associated with their campaign they have begun to question whether it's possible that calls are being made that we aren't receiving. Our telcom team looked into that and determined we were only at or around 60% of our total trunk capacity, at which point or partner requested to see the physical phone bill and to have it matched up against our call records.

So this was kind of a mess and it took a bit of work in Excel to get the data cleaned up and comparable. Everything "seems" to match up just fine, except there are a couple of issues and I was hoping someone could give me some confirmation or information that would elucidate these abnormalities.

These issues are:


1. Changing ANI's.


Through an automated comparison the phone bill matches our logs 90.86% of the time, however our logs only match the phone bill 80% of the time. So I went through the remaining entries that don't match and noticed a fairly clear pattern. The phone bill might receive 3 calls in a row to the same DNIS and record an area code of 123, whereas our system records a different area code. Sometimes it's just the last 4 digits of the number that change.


2. Changing time zones.


It "seems" that both the phone bill and our logs are on central time. Usually calls are 10-30 seconds off, or as much as a minute or two, but sometimes I'm noticing that the calls are offset by a full hour, however these calls typically form the same pattern described above. We'll receive 3 calls at 12pm noon from the same area code, to the same DNIS, and on the other report they're at 1PM, same DNIS, but again a different ANI.


3. Dates not present.


I have had no communication with our provider, but I am under the impression that all records between a specific date range were requested and provided for all DNIS's associated. However, there are missing dates. Our records will show we received 10 calls to a DNIS, but on the phone bill there are only 8... and the 2 that are missing come after the last date provided for that DNIS. None of the missing calls appear within a series that is provided for, but always come before or after the first or last call on the phone bill provided for this campaign. I've been told that this is "normal" and that billing can be broken up in a variety of ways which prevent this 100% accuracy.

I'm pretty certain that I remember that ANI's can change for a variety of reasons (VOIP, etc.), but I haven't had any direct experience with telephony in about a decade.


#2 ThoughtPhreaker


    Dangerous free thinker

  • Members
  • 1,470 posts
  • Gender:Male

Posted 13 April 2014 - 02:24 PM

Call center administration is a little above my head, but if you feel calls might be spoofed, then there's a relatively easy way to check for inconcistencies depending on what fields you have access to.


For example, there's II digits. This is a field you'll usually get with toll-free trunks or ISUP signaling to indicate what type of phone someone is calling from. In practice, most calls will come through with the digits of 00, but coin and cell phones will not. Payphones come in with the II digits of 27 and 70 (which is quite important if you have a toll-free number. The payphone provider gets 50 cents compensation from you if the call goes offhook), or cell phones will come in as 61, 62, or 63. Aside from shady switch techs and other sorts, very few people have a way to modify this field at their convenience, and even fewer would have the motivation or attention to detail to use it for spoofing. So if you're getting a call from a cell phone that has the II digits of 00, it's more then likely someone spoofing.


Then, there's both ANI fields. In SS7, there's two different fields for ANI. However, SIP, IAX2, and I believe H.323 all have just one. Voip is the easiest way to spoof for most, so a casual spoofer will be at the mercy of a media gateway to assign both fields as whatever they entered. But it doesn't always, especially if you're calling toll-frees. CPN is the field caller-id is derived from, so if someone is spoofing, that'll always be whatever they want it to be. However, charge number or charge ANI or whatever it's called - the second field, won't always be changed, but usually will. Never hurts to check if you have access to this field, though. Anyway, most incumbent and wireless carriers don't do any more business with obscure CLECs (or *any* CLECs) then the law requires them to. O1 Communications, Neutral Tandem, and Hypercube Telecom are some of the ones that terminate IP originated toll-free traffic. So if you see a call from a seemingly normal subscriber with charge number in some weird CLEC's exchange, that might be a tip-off.


It's worth noting there is a legitimate discrepancy that can pop up sometimes. A different charge number can indicate the call is being forwarded from that number. Though a trunk with ISUP fields will also let you know that the call was forwarded - and from what number.


One last field you can work with is JIP. Again, this is something you usually don't see outside of trunks with ISUP fields. But if you do, it's a great resource to have. The JIP field is pretty simple; all it is is the NPA-NXX of the office that originated the phone call. For example, let's say I'm calling from 516-763-9901. The switch I'm calling from might send a JIP field of 516-593. In practice, it can be any exchange the switch serves.


Since again, this isn't a field that's transmitted within most voip protocols, the media gateway will just assign whatever the hell it wants. Which will probably be it's own JIP. So if I'm spoofing that 516 number, the JIP field could easily be some switch in Texas or wherever.


Anyway, hope that helps :) .

  • bpocock likes this

#3 bpocock


    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 14 April 2014 - 04:13 PM

Thanks a lot. Kind of what I suspected but gives me a lot to dig in on should the need arise (which I'm hoping won't be the case).

Also tagged with one or more of these keywords: Phreak

BinRev is hosted by the great people at Lunarpages!