Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Message Notification Restrictions

I have a customer wants to enable message notification, but is concerned that by allowing unity to globally dial out in the restriction tables, it will open the sytem up for toll fraud, ie an outside person could call into the system, get a dial tone, and then dial back out. Is that even possible with Unity? Is there any way to tighten outcalling?

New Member

Re: Message Notification Restrictions

You've just stumbled onto the Big Unity Issue Of For the Week Of September 9th-13th. There should be a field notice coming out shortly about preventing individuals of questional moral fiber from using Unity for toll fraud. There's two ways to do this:

1. Safely remove the eadministrator and esubscriber from the system (as their default settings are now quite widely known and easily exploitable).

2. Configure Unity to prevent certain calls via the restriction tables.

The first one will be detailed in a document I wrote that will very, very shortly be posted to this link:

The second one falls under CSCdy54570 (ask your friendly neighborhood TAC engineer about it). Essentially the call routing rules only block 9011 (international) calls, but let everything else go through. This includes calls to the international operator. You'll want to add restriction patterns to the restriction tables that block as much as you feel necessary. Usually customers will want to block 900 (dialing out to the international operator) and 91?????????? (dialing out long distance).

Now, as for your concern, there's no reason you should be worried about MWI making long distance calls because that is very easily controlled by the administrator. Just set the MWI devices for the mailboxes to X and you're set. All other notifications that can be configured by a user in Active Assistant (under the Message Notification page in SAWeb) are a slight cause for concern.

What the real concern is, however, is call forwarding. With Call Manager I can only CFwdAll as far as my calling search space. With Unity, the same applies to him. Many customers, unfortunately, allow Unity to call anything it wants to (by not paying too much attention to the calling search space on the voice mail ports). So I can log into my subscriber account on Unity and configure any calls coming to me to go to where ever I want them to go, including places my CCM phone won't call. Another tricky thing is someone can simply dial into Unity, log in as the example administrator (using the default id and password) and do the same. Now every call that comes to me through Unity will be transferred to whatever number I want it to go. This makes it easy for me to find some unwitting local business using Unity to have them place long distance and international calls through them.

So my point is to lock down those restriction tables on Unity and use that forth coming document to remove the eadministrator and esubscriber. You can also lock down the voice mail ports' calling search space on Call Manager, but this won't do any good for our PBX-integrated brethren. This will help prevent your business from being exploited.


CreatePlease to create content