The business driver for this report is to identify SMS spamming.
Traffic between networks is typically balanced, which means there is roughly as much traffic received
as transmitted. Therefore, any unbalanced traffic may be due to unexpected traffic patterns like
spamming. To identify such behaviors, it is useful to check the details of the traffic routes, knowing
that spam traffic often uses fake GTT addresses. This report helps identify the exact origin of such
traffic. Once the inappropriate GTT addresses are being detected, it is possible to use Eagle5 Network
Security features to screen the traffic accordingly.
As a prerequisite, the required builder is MAP ETSI.
Spamming (Unbalanced SMS Traffic)
MEASURES
• Total MAP (from Foreign SMSC)
• MAP operations with XDR type frame alone
• SRI for SM Error ratio (SRI for SM Error count/ Total SRI for SM
• Ratio to/from (Total SMS deliver to Foreign SMSC / Total SMS deliver from Foreign SMSC) • Total number of SRI with error cause “unidentified subscriber”
• Total number of SRI with error cause “illegal subscriber” • Total number of SRI with error cause “illegal equipment” • Total number of SRI with error cause “unknown equipment”
DIMENSIONS
• TOP Country/Operator based on enrichment • Enrichment applies on both Calling GTT
AGGREGATION PERIOD RETENTION PERIOD
15 minutes 1 month
DASHBOARD ALARMS
None Per Country/Operator SRI for SM error ratio:
• Minor if < 90% • Major if < 80%
Those standard values can be adjusted afterward either globally or per dimension.
2.6.2 SRI for SM Error Ratio Report
The business driver for this report is to identify SMS spamming due to fake SMSC.
This report addresses spamming done with fake SMSC, sending SRI for SM. In such cases, many MAP
errors usually appear since used subscriber numbers are not accurate. In case of alarm, GTT at the
origin of the traffic, as well as route being used, needs to be checked. Once the fake SMSC is detected,
it is then easy to screen the traffic using Eagle5 Network Security features.
As a prerequisite, the required builder is MAP ETSI.
SRI for SM Error Ratio
MEASURES
• Total MAP (from Foreign SMSC)
• MAP operations with XDR type frame alone
• SRI for SM Error ratio (SRI for SM Error count/ Total SRI for SM
• Ratio to/from (Total SMS deliver to Foreign SMSC / Total SMS deliver from Foreign SMSC) • Total number of SRI with error cause “unidentified subscriber”
• Total number of SRI with error cause “illegal subscriber” • Total number of SRI with error cause “illegal equipment” • Total number of SRI with error cause “unknown equipment”
DIMENSIONS
• TOP Country/Operator based on enrichment • Enrichment applies on both Calling GTT
AGGREGATION PERIOD RETENTION PERIOD
15 minutes 1 month
DASHBOARD ALARMS
None Per Country/Operator SRI for SM error ratio:
• Minor if < 90% • Major if < 80%
Those standard values can be adjusted afterward either globally or per dimension.
2.6.3 TCAP Error Report
The business driver for this report is to identify Mobile Service Providers that send spam traffic and
risk getting bills for fake SMS traffic.
When a service provider is faking SCCP addresses, responses are sent to equipment that is not actually
at the origin of the messages and they will receive isolated TCAP end messages. If the spam is not
detected, the spammed operator will ask for payment of SMS – payment that isn’t due. Detecting the
TCAP helps proactively manage problems. As well, some missing links or route can generate the same
kind of errors. These same reports will also help manage traffic QoS.
As a prerequisite, the required builder is MAP ETSI.
TCAP Error
MEASURES
• Total MAP Operation • Total XDR type frame alone
• Frame alone ratio (Total XDR type frame alone/ Total MAP Operation)
DIMENSIONS
• TOP Country/Operator based on enrichment • Enrichment applies on Calling GTT • A filter shall focus the traffic on SMS deliver
AGGREGATION PERIOD RETENTION PERIOD
15 minutes 1 month
DASHBOARD ALARMS
None Per Country/Operator SRI for SM error ratio:
• Minor if > 10% • Major if < 20%
Those standard values can be adjusted afterward either globally or per dimension.
2.6.4 Bypass Traffic Report
The business driver for this report is to identify fraudulent international bypass traffic.
This fraud case corresponds to international traffic bypassing the normal route in order to avoid paying
the international rate. Detection is based on A-Number analysis, as in some cases the original A-
Number is kept in the messages being routed within the network of destination. The fraud pattern may
alternatively remove or transform the A-Number into either a standard or randomly changing number.
In such cases, depending on regulation rules applicable on network of destination and the process an
A-Number is being transformed, accuracy of bypass fraud detection may be altered.
Bypass Traffic
MEASURES
• Total international calls • Total international Answered calls • Minutes of Usage
Reports shall be engineered in order to address traffic that shall not be international.
DIMENSIONS
• Per OPC
Note: Enrichment may be required to filter the traffic correctly: get only calls that are supposed to be national.
AGGREGATION PERIOD RETENTION PERIOD
15 minutes 1 month
DASHBOARD ALARMS
Global number of attempts versus time Alarm shall be raised for calls count • Minor if > 50
• Major if > 100
Those standard values can be adjusted afterward either globally or per dimension.