GHTROUT http://www.GHTROUT.net/
 

 

Meridian 1 Security Tricks GHTROUT
Also Check out Gene's BARS 101 and Basic Meridian 1 Security Audit

How to stop "Transfer me to an outside Operator" and the "90#" scam (includes notes on the "extension 9000" scam)

Many folks ask me how to handle this situation but still allow the ability to dial an outside operator; and the ability to transfer callers to external numbers (such as branch offices, etc).  Nortel Security has told some users "that combination of 'denials' and 'allows' are not possible together.  The first problem is that Nortel does not have a good way to do it.  The second problem is they never thought of these work arounds.  Some people don't even believe that "90#" scam is even possible.  Well, they have not used a Nortel Attendant Console.  I know the console inside and out and believe me, it is possible.

If you are a big switch with lots of users and extensions, it is almost impossible to "educate everyone" as some people have claimed is so effective.  I ask them "why did you have to educate your users"?  The answer was that  they were the victim of a scam.  I complete their sentence with "a scam that could have been blocked had they implemented better security".

If you are very small, education is the better choice.  The following solution is intended for a larger environment only because a smaller switch might not be able to justify adding or reallocating trunks.


Let's go over the requirements in more detail:

  1. We want to allow some people, maybe like the President or maybe the switchboard to be able to dial an outside operator.
  2. We might want everyone to be able to dial "0+" calls (such as credit card calls and maybe international calls)
  3. We want some users (maybe even all users) to be able to transfer callers to legitimate outside numbers.  For example, you might need to transfer some customers to external services rather than telling them to hang up and redial.

What we DON'T want is for ANY phone to be able to transfer a caller to an outside Operator.


What you need to accomplish this:

You need at least two loop start trunks that you can "spare" for dial Operator calls.  Why so few trunks?  Because it is rare you will ever have two people trying to call an outside Operator at the same time.  If you do, THAT is the problem you should be working on...why are your users making calls to talk to an outside Operator?


Instructions - Step by Step:

1. Come up with two loop start trunks.  Create a new COT route in LD16 and build the two loop start trunks (LD14) in that new trunk route.

2. Build a new route list (LD86) with ENTR 0 pointing to the new trunk route you just made.  So we can keep track of LD86 route lists in this document, we will call this "Route List A".  You can set ENTR 1 as your normal local trunk route if you often have more than two people trying to talk to an outside operator at the same time (why would they need to do that?)  Be advised calls that overflow to ENTR 1 will not be protected. 

3. If you don't already have this, create another new route list with ENTR 0 set as "LTER=YES".  We will call this "Route List B"

4. If you don't already have this, create another route list for SPN 011 with a high enough FRL so that only the right people call dial International.  This RLI should send callers out your dedicated international carrier if you have one.

5.  Make sure that you have separate SPNs of:

SPN 0

SPN 011 - Should have FLEN=10  and ITOH=YES.

SPNs 02, 03, 04, 05, 06, 07, 08, 09  - (these are so users making credit card calls do not use up the trunks you created in step one)  These SPNs should have FLEN=10  and ITOH=YES

SPNs 000, 001, 002, 003, 004, 005, 006, 007, 008, 009.  These are for the infamous "extension 9000" scam

Note: FLEN and ITHO are not default options in every release of the M1.  If you system does not have FLEN, just keep hitting return.  FLEN and ITHO tell the system not to let a call seize a trunk until a valid number of digits has been dialed.  For example, someone could call and ask to be transferred to a partial number without FLEN and ITOH.  (dumb switch huh?)

6.  Point SPN '0' to the "Route List A" you created in step two.

7.  Point SPNs 02 through 09 to an appropriate route list, such as the one your local NXX calls go to.

8.  Point SPNs 000 through 009 to the "Route List B" you created in step three. 

9.  Here's the unusual part:  Go to LD14 and OUT the two trunks you created in step one.  Now go to LD16 and OUT the trunk route you created in step one (We did this because in step 2, BARS would not have let you create an RLI that had an ENTR of a PAG route like we'll create in the next step).

10.  Using the same route number you used in step 1, build a PAG route, similar to this:

TYPE RDB
CUST 00
ROUT (your choice)
DES  (your choice)
TKTP PAG
NACC PGNU
ESN NO
ICOG OGT
SRCH LIN
STEP
ACOD (your choice)
TARG 01 02 03 04 05 06 07 08 09 10
CLEN 1
OABS
TIMR ICF 512
     OGF 512
     EOD 1920
     DSI 34944
     NRD 10112
     DDL 70
     ODT 1792
     RGV 640
     GRD 896
     SFB 3
     TFD 0
SST 5 0
NEDC ETH
FEDC ETH
HOLD 02 02 40
SEIZ 02 02
RGFL 02 02
CDR YES
MUS NO
OHTD NO
ALRM NO
ART 0
SGRP 0
AACR NO

  • Now build the two trunks similar to these:

TYPE PAG
CUST 0
XTRK XUT
TIMP 600
BIMP 3COM
RTMB 1 1
SIGL OAD
STRO IMM
SUPN NO
AST NO
IAPG 0
CLS UNR DTN WTA LPR THFD
P10 NTC

Now you can dial an outside operator fine (there is slight delay), you just can't transfer any outside callers to an outside Operator!