My Equipment:
NEC Electra Elite & IPKII Standard Voice Mail


Hello,

I have an issue that I do not know how to resolve. Apparently, it also could not be originating from my network system?

The Issue:
I am experiencing random calls directed at 911 that the authorities have traced to a number at our location. The events are occurring frequently - but not daily. The last issue to place on Monday at 9:45am in the morning. There was no one present within the department where the line was traced. Therefore, I am certain that no one on the property placed the call. The prior event took place a week before with multiple calls being made again to 911. However, those calls occurred at approximately 1:00am (no one was present on the property).

My question is; how do I pursue a resolution to this issue? I contacted my carrier (PaeTec) and they told me that the calls are not originating from my network? However, I cannot have the Authorities showing up frequently with the same issue.

Please advise,

Turn on SMDR & start getting a record of the calls placed. Are these pots lines? They could be tapped into or a short could possibly cuase issues.

We have a mix of lines; we have a PRI and some fax lines. Unfortunately, I don't have an SMDR. How can I tell if it is being tampered with or if it's a short?

Thanks for the input.

This may be totally unrelated except for the symptoms....

I once had an abandoned, but still connected inter-building cable that got damp. The moisture and slight movements from wind were momentarily shorting one pair (an SLT port in this case) and the KSU interpreted it as dial pulse dialing. The random 'dialing' made several calls to 911. Also made a bunch of internal calls to 211, 311, 212, etc. Mostly the lower numbered digits.

I spotted random off-hook activity on ports that should have been idle and that led to isolating/eliminating the cable.

Thanks,

I am suspecting (hoping) it's something like a faulty line. Unfortunately, we have a large campus and having someone come out and look for a faulty line is just going to be the "needle-in-a-haystack" problem right now. I am hoping to narrow down the cause and location than start checking the lines in the suspecting area.

Again, thanks for the input.

What DR PBX said. Get smdr and you may see that a station or stations are making the calls, disconnect them, if problem goes away connect 1 at a time until it re-appears.
If calls are going out PRI it would be a station.
If you don't have it, get it, unless you want this to continue.
Do you have a tech that knows the system???
You said a call was traced to a department. How?

Hook up your SMDR (you know this). I would look at 2 things, first make sure a fax server, fax machine, elevator phone, alarm line etc isn't dialing 911 by mistake. Second, check your voicemail to make sure someone isn't trying to hack through it.

I apologize but the system is new to me - I have only been here for a month.

However, I know for certain we do not have SMDR or any type of call accounting software licensed or installed. Judging from the age of the unit - I don't plan on proposing any upgrades to the system.

Yes, calls are going out to 911. The authorities came to us with a phone number and it rings to a group of phones within a department (which there are three extensions within the group that ring to the number) - the group is part of our PRI. They were not able to tell me how they acquired the number.

You obviously don't know much about phone systems.
Get an NEC tech who knows that system or start paying for bogus 911 calls.

Check all of your voicemail boxes for an outdial option. Look for 9+11 as a outdial number. Your VM may have been hacked. You do not need SMDR to do this, just some patience as you scroll through every mailbox assigned. Delete any mailboxes that are not being used by valid extension users, and verify that they all have passwords assigned.

I contacted my carrier (PaeTec) and they told me that the calls are not originating from my network?

PaeTec is owned by Windstream. One of our customers has a PRI from Windsteam, they were notified by them there were international calls made from their in house equipment(SV8100)We enabled SMDR, records showed no international calls from the 8100. Windstream said there was no way hackers got into their network blah blah blah, but did say the software on their router was outdated, they did a upgrade and afterwards no more international calls. They still say the problem was with our customers equipment.

Just saying, don't rule them out.

I was hoping to get further with PaeTec (Windstream) - in less than twenty four hours they came back with the following message:

We do not see these calls in records, which would support the conclusion that these are not originating from your location. Unfortunately, the repair center is not able to assist further in this matter, since the calls are not present on our network. You may wish to engage our fraud team or your local law enforcement if you continue to receive reports of this line calling 911. The calls are not originating from your site, or anywhere on our network.

First, I am going to look into the voicemail suggestion (Thanks). I now know the location (extensions) that ring to the number the authorities provided. Fortunately, the intervals have been approximately a week apart (at random times). Yes, if I have to get someone out here, I have no problem. I just did not want someone wondering all over our campus and than stating that there is no problem...I have been down that road before.

Again, Thank You everyone for your input!

It is pretty pointless checking the Voicemail as PaeTec have already told you the calls are not originating from your site or even within their network.

I would suggest someone is spoofing the number from a SIP service so you would need to get the authorities involved.

In the meantime, if you don't use the number for outbound calls, have PaeTec bar all outgoing on that number and see if the calls continue.

I just thought I would share…hopefully, the outcome helps someone else.

Well, I spent all morning on the issue. I first called our carrier. Sorry, but from a network administrator's perspective, I would be responsible for resolving any malicious use of my data network.

Anyway, I contacted the Fraud Department for Windstream (My Carrier). I discovered that the only way I was going receive assistance is if;

I have a court order or I have a known solicitor / debt collector that is harassing us?

Being that we are originating the calls to 911...they will be no help. The attendant told me to contact my local authorities. Hence, I called the authorities only to be told; Have your carrier send someone out - we know that calls are coming from you because we have verified the number. "Spoofing or no spoofing, you need to resolve it." There I totally agree.

But there is no way for you to resolve it, you have been informed by your carrier that calls are not originating from your site and not even from within their network.

What else are you supposed to do? it is not in your control and not in your service providers control. Irrespective of what they have verified (I would be asking them how they have verified it) if someone is spoofing your number, how do they expect you to track the culprit down?

Even you are saying that you are originating the calls when your carrier says you aren't. It's one thing to look for a needle in a haystack but when you have been told that the needle isn't even in there it is pretty pointless.

Thinking outside the box, there's a published number and an ANI number that can be assigned to a PRI. Try having the carrier change the 911 number away from the published number, but keep the published number in the 911 database. Now when calls come in, you will know if someone is spoofing the ANI or it's really coming from your site.

Just a thought.

Carl

what you need to do here is to document everything.

I'm not a lawyer: I'm a phone guy. So this isn't advice, it's just two guys talking.

Make a file with a written, yes, written copy of the information from your carrier, stating that the problem originates offsite. in that file, put all the data you've gotten from the authorities who are reporting the 911 calls to you. Document everything you've done to track this down. Dates, times, who you talked to, what they said, every piece of paper, your scratch-paper notes, everything: It goes into that folder.

Why? For CYA. In the event that the authorities start charging you for false 911 calls, you need to be able to document what you've done to fix the problem. If you get sued for some reason, God forbid, you need to cover your butt by showing you've done everything that a reasonable person would do.

Next, do what BrokeDA told you to do: Hire a licensed NEC tech. SMDR output is a feature of the Elite. A licensed NEC tech can connect a printer so that you get raw SMDR.

I know, when you first saw SMDR in this thread, you googled it and learned all about Call Accounting systems, and you said to yourself, "We don't have that and we don't want it." That's fine, you can read the raw SMDR. It's not rocket science, and the Certified NEC tech can show you how to read it.

Why do you need it? Again, to CYA. The SMDR proves that the call did or did not start at one of your extensions. Without it, if you wind up in court, the first question you will be asked is, "Where's your SMDR output?" to which your answer will be, "Um..."

Get the Certified Tech to set up SMDR. Period.

But but but but a tech costs money. Yes, but one or two hours of tech time costs LESS than the fees for repeated 911 calls. So bite the bullet and do it.

If you get another incident, AND the SMDR says it did not happen on your site, you can show the authorities and you now have proof.

If you get an incident and it DID happen on your site, you will know what extension, when, and what they dialed. For example, suppose you have a series of calls around 2 AM, from extension 202, that look like this:

1:58 90
1:59 911
1:59 901144255551111
2:23 901144255552222

Then your janitor is calling his Momma in London at night. And he's fat-fingering the 9011 for international, which is why you're getting 911 calls.

And if that's going on, you want to know, for several reasons. Or maybe SMDR will tell you

1:58 111
1:59 111111
2:02 111 11 1

or something like that. So then you know that the extension is getting shorted and simulating pulse dialing. And for liability reasons, most PBXes are set up to read 9+11 as 911, so 11 may also outpulse as 911.

And there's the smoking gun.

So:
1. Document everything, and
2. Get a certified NEC tech out to set up SMDR.

If you can't find one, say where in CA you are, and someone here can refer someone.

I had a similar issue with an fax (clearly marked DO NOT DIAL A 9) when the users were faxing over sea. I got so fed up I posted a note next to fax. "The 911 Command Center has alerted us to continued calls from this fax machine. If it continues a fine will be issued. The company has decided that the fine will be deducted from the end users pay."

You would be surprise how fast they learn how to dial.... just saying

How Important is the actual Phone number?

If its a Rollover or not often called you can have windstream change the number.
You may be able to get it as a Remote Call Forwarded in number, to the new number. That way the number no longer originates from the site.

My wife's company uses Windstream. Hackers were able to take over the Windstream Adtran after hours and make calls across the globe. They have an ancient Nortel that doesn't even have a modem on it. It took Windstream weeks to figure out how it was happening while they continued to claim the PBX was hacked.

Does the phone system have any SIP trunks? If it does, my post might be helpful.

We have the similar issues when we test the SIP lines on our demo system, it calls some random number like 111, 132, it also calls oversea numbers.

We called our SIP carriers, they said it is caused by some internet direct calls on SIP lines.
As our SIP port is open to Internet, hackers could call directly to the SIP port and make some calls through the phone system.

So we change the port forwarding polices, only connections from our SIP providers are passed through to our phone system.
it works.

Sound advice from Telephoneguy. Do what he says at the very least!

There used to be a feature called DISA that allowed things like that.

I hope you have this resolved by now but here's a couple other ideas. I've had this problem also but when I turn on "Trunk access code required" in 21-01-12 that usually fixes it. You could also turn on the 911 alarm. Specify which exts should receive the 911 alarm and it will show in the display what ext called it.