Ghost/Phantom Calls (from 1000, 1001, 120 etc.)

  • 3
  • 8
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: We have archived this topic as it has either reached a resolution has become inactive, or information contained in this thread is no longer accurate. If you have a related question on this subject, please post a new topic.

Tickets have been open with support.  Receive many ghost calls and need help reaching a resolution. 
Photo of Raj


  • 140 Points 100 badge 2x thumb
  • that I have wasted my money and am now I am wasting my time

Posted 6 years ago

  • 3
  • 8
Photo of RC-Installer

RC-Installer, Champion

  • 27,914 Points 20k badge 2x thumb
Hi Raj,  Google SIP Viscous  This is the issue.  You need to adjust your firewall to only allow your phones to talk to the ring central servers.  What is happening is there is this sip scanner out there that is looking or VOIP phones to make calls on or just cause problems.  I am not sure but I have told many people about how to control this via the firewall.

Here is information to help you with the rules

Configuring Firewalls for a RingCentral Service & Checking the Quality of your Internet Service 
For other brand of firewall, you need to consider the following 

1. If the modem is a gateway, have it on a bridged mode to disable the NAT and have the NAT of the firewall enabled so there will only be one translation for the whole network. 
2. If the gateway is already bridged or half bridge wherein they need to put in certain information like Account Internet Access(usually these information are provided by your ISP, Internet Service Provider). 
3. Steps 1 and 2 should be configured by your ISP(Internet Service Provider) 
4. If everything has been configured as mentioned above, the next step is to configure the firewall with the help of your IT guy. It might require for them to create services and policies for our service and these are the information that is needed. Please remember to enable NAT and disable SIP ALG. Remember if there are more than 1 NAT enabled on the network, voice data and registration of the phones will not work because there will be no way for those phones to communicate with our servers and vice versa. 

Ports that we use and if the firmware doesn't change the information for the assigned ports inside the IP Packets, it should follow these rule(Sonicwall uses a different algorithm and that is why a wide range of port is opened for the LAN side) 
• RCPorts1 – 5060 to 5090 UDP, User Diagram Protocol, used by RingCentral Softphone(Mac and PC versions) and SIP Phones(Polycom, CISCO, Android App SIP Phones, IOS App SIP Phones, etc.) 
• RCPorts2 – 16384 to 16482 UDP, User Diagram Protocol, ports being used by actual voice data delivered to and from SIP Hardphones and third party SIP phones(Polycom, CISCO, Android App SIP Phones, IOS App SIP Phones, etc.) 
• RCPorts3 – 8000 to 8200, User Diagram Protocol, ports being used by actual voice data delivered to and from RingCentral Softphones(Mac and PC versions) 

RingCentral Servers 
• Time Server – IP Address Range: to 
• SIP Server1 – IP Address Range: to 
• SIP Server2 – IP Address Range: to
Photo of Kim

Kim, Alum

  • 44,164 Points 20k badge 2x thumb
Official Response
Hey Everyone, just wanted you to check below link for the updated Port Ranges
How do I troubleshoot Call Quality issues - QoS?

SIPVicious “friendly-scanner” Attacks --- SIPVicious is a free SIP security testing suite. SIPVicious scans IP addresses looking for SIP devices, helps identify active PBX extensions and provides a mechanism to crack SIP user passwords.

RingCentral is not responsible for fixing SIP port scanning attacks, and can only make recommendations. Selection, configuration and maintenance of customer network equipment is not handled by RingCentral. RingCentral is not your ISP.

SIPVicious can only be stopped by configuring a router to block SIP signaling from all but a selection of specific IP address ranges. Routers which support access control lists (ACL) can do this.

The only stable resolution is to lock down the SIP ports on the router to only allow inbound and outbound traffic to RingCentral IP networks and  SonicWALL routers or ACL (Access Control List) compatible Cisco routers can do this.  Most SOHO (small office/home office) routers do not have the capability to set up rules like these.
Photo of Justin Murphy

Justin Murphy

  • 92 Points 75 badge 2x thumb
This reply was created from a merged topic originally titled Calls from extension 100.

Has anyone else experienced receiving calls from extension 100 and when answered is just dead air.  The calls also don't show up in the call log.
Photo of RC-Installer

RC-Installer, Champion

  • 27,914 Points 20k badge 2x thumb
Hi Justin, the calls do not show up in the log because these calls do not origionate through Ring Central.  What is happening is this SIP scanner is hitting your phones directly causing the ext 100 and dead air ETC.

So they best thing to do is adjust your firewall so that your phones ONLY talk to the Ring central servers and then if the SIP scanner is looking for your phones the FW will block it.

There is also a secure setting that could be turned on your account but I think there is some dependency on the type of phone you have.

It is a good practice anyways to have these FW rules in place.

Hope this helps shed some light.

Certified RC Installer
Photo of Brian Scott Davies

Brian Scott Davies

  • 60 Points
Hi Chuck - 

I have been on the phone with AT&T and exlaining or TRYING what needs to be done .....   any advise on exactly what to say to them to make them understand ..... Ive read the info on here to them     still not getting it 
Photo of RC-Installer

RC-Installer, Champion

  • 27,914 Points 20k badge 2x thumb
Are you looking for them to setup the FW rules for you?

Email me so I could get more detail for them
Photo of Kaleem Ahmad

Kaleem Ahmad

  • 64 Points
i am having the same problem, its really annoying as im having to disconnect the phone. is there a simpler way of combatting this?
Photo of RC-Installer

RC-Installer, Champion

  • 27,914 Points 20k badge 2x thumb
I do not think so.  This is just one of thoes things you need to deal with and have your systems designed correctly.  RC or anyother VOIP provider cant control what is scanning out there in cyber space.

Just lock down our Firewall so your phones could ONLY see RC servers.

I think depending on the phone type there is some other encryped settings that could be turned on but as a best practice, you should be doing this.

Any competient IT service could configure your Firewall  with the settings.

How many phones in your environment?
Photo of Dave Herron

Dave Herron, U.S. Tier 3 Support

  • 768 Points 500 badge 2x thumb
Official Response
This reply was created from a merged topic originally titled Why am I receiving calls from no one? Is RingCentral doing this to use my minutes....

As an engineer for RingCentral I can tell you with authority we are definitely not doing this to rack up minutes. This is actually a result of malicious intent. "Hackers" use a program called SIP vicious to probe people's networks and compromise phones. They then attack your phones by ringing them and ultimately get your login information from your phone. They can then use your specific login information to login to the RingCentral and make calls on your behalf. You can validate one of these attacks if your phone rings with a suspicious caller ID ("100") and then if you look in your RingCentral call log it will not show the call. That means the call didn't come through RingCentral servers, and the attackers have found a way in to your network. This can be mitigated one of 2 ways.
1. Recommended that you limit traffic to and from your phones ONLY from RingCentral IP addresses. You may need to enage the help of an IT professional to do this. The IP ranges you should be accepting traffic from are and

Photo of Brandon

Brandon, Champion

  • 25,084 Points 20k badge 2x thumb
This reply was created from a merged topic originally titled Phantom calls *from* my Polycom VVX phone every 10 minutes to same extension.

Let me explain this strange behavior I am seeing.

A coworker used my phone to make simple test call to himself by dialing his 4 digit extension from my phone.  

Ever since that single call was made I see a phantom call initiated from my phone to his extension about every 5-10 minutes.  I have a presence button of his extension on my VVX410 and I see it flash green.

Further, his phone never actually rings and after about 30 seconds it stops and the cycle begins again.  I have check the call log and call history and these calls do not display.  I have rebooted the phone and they still continue.

Anyone have any idea about this?

This conversation is no longer open for comments or replies.