[asterisk-users] Regarding caller ID and security

C F shmaltz at gmail.com
Thu Oct 11 16:05:02 CDT 2012 

On Tue, Oct 9, 2012 at 5:17 PM, Philip Bennefall <philip at blastbay.com> wrote:
> Hi all,
>
> I am new to Asterisk, and would like to begin by saying that it is an
> absolutely fantastic system. Seems incredibly stable, well tested, and easy
> to use.
>
> Now, to my question. I am making a mix between a personal ads and a
> voicemail service, where I want each user to be able to submit an ad that
> others can respond to by recording messages that go into this users inbox.
> My original thought was to base this purely on the CALLERID(num) value, but
> quickly discovered that this is a bit unreliable. Sometimes when I would
> call in it'd say anonymous, other times it would give me a bunch of zero's,
> other times it would show me my real phone number, and once it actually gave
> me just random digits. I do have a wait call after answering but before my

What type of lines are you using to connect to PSTN? If you get
unreliable CID from your SIP provider I would recommend switching
providers.

> first soundf ile is triggered, in my pickup context. I am wondering what the
> best way to approach this is? Do I ask the user to enter their phone number,
> and then generate a code based upon this that will then serve as a password
> when you call back? Do I attempt to use CALLERID(num) to detect returning
> users, or is this not adviseable from a security perspective?
>
> Preferably, I would like to avoid using a code altogether but I am told that
> it is relatively easy to spoof phone numbers to hack into someone else's
> inbox. Note that I do not plan to allow direct SIP calls, only through a
> PSTN/SIP provider where the IP address is on a whitelist. Any tips on how to
> approach this would be highly appreciated. Basically I want to make it as
> easy as possible for my users, but maintain high security.

Spoofing CID is extremely easy to do. If you want security then you
will have to use at least a code.

>
> Thanks in advance for any help, and thanks once again to the developers of
> Asterisk for making such an excellent tool!
>
> Kind regards,
>
> Philip Bennefall
>
> P.S. I also wanted to know whether there is a function to check if a string
> contains only digits? This would be useful as a sanity check before I look
> up the phone number in the MySql database, if I do decide to use
> CALLERID(num) in this way.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list