Home » Archive » Skype for Business–Block Call Identified as Malicious

Skype for Business–Block Call Identified as Malicious

For a long time there has been a little used feature within Lync and Skype for Business that allows end users to highlight a nuisance voice call to the administrators called Malicious Call Trace (MCT). MCT basically allowed the end user to report a call immediately after hanging up which would register in the call detail records database as a trouble call. This information could then be used by Skype for Business administrators to highlight potential issues and act accordingly. Often acting accordingly means not doing much, not because you don’t want to, but because you can’t. Whether that is time or money, they are usually the two main factors. Skype for Business doesn’t provide any administrative blocking options for incoming numbers, instead relies on end users keeping their relationships up to date and/or some third party tool that costs $$.

So until now, report a call feature is just a courtesy “hand in the air” announcement from the end user to the admin that they are receiving unwanted calls. It doesn’t actually prevent the caller from calling back. At some point, the end user is going to get frustrated, and force you to take action. This probably will be to assign a new DDI to the user. But this means that some one else may get the problem call, and eventually the caller if persistent will find out the new number and the cycle begins again. This is where you need a call blocking solution.

A while back fellow community contributors Chris Norman (VoipNorm) and David Paulino (UC Lobby) made a call blocking script based on Caller ID. This script was based on MSPL scripting used within Lync and Skype for SIP processing. So I thought, wouldn’t it be cool if somehow I can grab the malicious calls from the CDR database and add them to Chris & David’s script so that when a user reports a call, the caller ID is blocked from subsequent calling attempts?


Introducing Simple Call Blocker

Simple Call Blocker leverages the code from UCLobby’s version of the CallerIDBlock tool and ties together information from the CDR database to identify malicious calls and add them to the block list without administrative input. Meaning admins now won’t need to care about problem calls. A user reports a call as malicious, the block list gets updated within a few minutes and bang! no more nuisance calls from that caller for the entire company!

I say Simple, because the block is permanent and affects all users. Depending on the uptake I may add more options to this to provide more granularity in the future.


  • Front End Pool FQDN to register server application to
  • Pool File Share FQDN and Share name to host the block scripts
  • Skype for Business or Lync 2013
  • Malicious Call Trace Enabled for the user in Voice Policy
  • CDR database deployed
  • CDR archiving enabled

The supplied Installation script is recommended to run on a front end server.

Please also note that this solution is not stress tested, and therefore suited to small to medium scale deployments. Large deployments, you may want to edit the MSPL script to only process SIP messages from the Mediation Servers to avoid excessive SIP processing time across all modalities.


Installation and Demo

  1. Open Adminstrative PowerShell and set your working location to the full path of the SimpleCallBlocker folder e.g. Set-Location “C:\scripts\SimpleCallBlocker”
  2. Execute the Install-SimpleCallBlocker.ps1 file by typing in .\Install-SimpleCallBlocker.ps1
  3. Enter your Front End Pool FQDN, File Share Location, SQL Archiving Server FQDN and SQL Instance Name if you are not using the Default and Press Install Nowimage
  4. Once Installed, check the Skype Share location for a folder called SimpleCallBlocker. In there, you should have a two files, BlockedTelephoneNumbers.txt and CallerIDBlock.amimage
  5. The BlockedTelephoneNumbers.txt will already be populated with any previous malicious calls logged in the CDR databaseimage
  6. There should also be a Scheduled Task created called SimpleCallBlocker, and scheduled to run every 10 minutes. This calls a PowerShell script located in C:\SimpleCallBlocker located on the machine with the scheduled task installed. This script is responsible for collecting the information from the database and updating the BlockedTelephoneNumbers.txt fileimage
  7. Next, check that the server application has been installed on each front endimage
  8. After about 5 or 10 minutes of installation you should see an event registered in the Lync Server Event log that lets you know the server application has been successfully registeredimage
  9. After this Simple Call Blocker is ready to work




Download Script Here: https://gallery.technet.microsoft.com/Skype-for-Business-Auto-745b2159


  1. hmmm, been fighting with this tonight a) you need the SQL Mgmt tools installed on the server the script is running on otherwise there’s no connection to the SQL server, that is if you’re dumb enough like me to run this on the frontend, which ever.
    b) script would run with Default or if the instance was blank, had to modify scheduled task and simply remove -Instance altogether.
    c) calls from the gateway come in +14165551212@company.com, the only way I can get the block to work is to remove the +1 and the @company.com. I guess it’ll force the admins to review the file in order to take effect. I’m guess that -replace “^sip:(\+?\d*).*$”,’$1′ is suppose to clean things up a bit, any thought to clear out +1 and anything after @. That’s a bit of code there that I do not understand.

    • And when you’re done testing reporting a malicious call, how do you make it non-malicious… Just blocked my cell from calling the client… lol

    • Hi Korbyn,

      a) You shouldn’t need the Management Studio to run this, only the SQL Client tools?
      b) In next release I will add the instance handling
      c) For your gateway if calls are coming in without sip: then modify the regex to be ^\+?(\d*)(@.*)$

      as for unblocking… it’s a one way street at the moment. As it relies on the CDR DB for this info, the data needs to be removed from that. I will work on some revert handling at some point


  2. Testing this module out and all works except for pulling the data from the DB into the text file. I am able to tag malicious calls, have those populate in the DB (checked using the query in the PS). The scheduled task is running. Updated the config to suit non “sip:” data as well. No luck. A bit perplexed!

  3. Is there any way this methodology could be adapted to a multi-tenant Skype for Business Server 2015 environment where each company is homed in its own OU in Active Directory?

Leave a Reply to Korbyn Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: