Is there a general recipe to avoid fraudulent calls under the following conditions? A receptionist transfers calls as a callee (customers are calling) and as a caller (boss asks to call and then transfer to him), i.e. the Dial cmd for the internal context contains "Tt". Then an outside call would operate as a Local channel in an internal context after the first transfer. If the internal context allows to dial outside, which is quite common, then this can be abused by the outside caller. An obvious solution is to disallow Local channels to call outside lines, but there are some possible side effects if Local channels are used explicitly. This would require adding a persistent channel variable (the ones with "__"). I apologize if this type of question has already been asked before. jg
On 09/13/2013 04:12 PM, jg wrote:> Is there a general recipe to avoid fraudulent calls under the > following conditions? > > A receptionist transfers calls as a callee (customers are calling) and > as a caller (boss asks to call and then transfer to him), i.e. the > Dial cmd for the internal context contains "Tt". Then an outside call > would operate as a Local channel in an internal context after the > first transfer. If the internal context allows to dial outside, which > is quite common, then this can be abused by the outside caller. > > An obvious solution is to disallow Local channels to call outside > lines, but there are some possible side effects if Local channels are > used explicitly. This would require adding a persistent channel > variable (the ones with "__").create a separate context for outbound calls.
I should have mentioned that I am looking at attended transfers. When a Local channel gets created for the announcement it is in a way on behalf of the caller, but has the permissions of an internal channel. Depending on the origin of the call the transfer permissions should then be set dynamically. I am currently looking to what degree I can use the BRIDGEPEER and TRANSFER_CONTEXT for that purpose. If I can't use them, I always can introduce my own persistent variable. In either case I have to manually set the transfer permissions. Is there a simpler way of taking care of this potential problem, or am I not aware of some important concept? jg