This is what they were meaning by an Identity header: INVITE sip:+ ____@____:5060 SIP/2.0 Via: SIP/2.0/UDP 4.55.24.161:5060;branch=z9hG4bK04Bca08abeb8b9b16fb From: "PRIVATE" <sip:+ ____@____:5060>;tag=gK045a4816<mailto:[email protected]:5060%3e;tag=gK045a4816> To: <sip:+ ____@____:5060> Call-ID: 356802602_126328323@____ CSeq: 929670 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,UPDATE,OPTIONS Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: "PRIVATE" <sip:+ ____@____:5060<mailto:[email protected]:5060>> P-Asserted-Identity: "PRIVATE" <sip:+ ____@____:5060> Identity: ey____;info=<https://certificates.transnexus.com/706J/0ea0e4d8-____ae4a0.pem>;alg=ES256;ppt=shaken Content-Length: 307 Content-Disposition: session; handling=required Content-Type: application/sdp
This is on the invite header in from the carrier. From: Aaron C. de Bruyn via VoiceOps <[email protected]> Sent: Wednesday, March 18, 2026 10:58 AM To: Mark R Lindsey <[email protected]> Cc: [email protected] Subject: [VoiceOps] Re: Spamming for a week: 463-20X-XXXX NOTE: This is an external message. Please use caution when replying, opening attachments or clicking on any links in this e-mail. WARNING: Replies to this message will go to [email protected]<mailto:[email protected]>. If you believe this is malicious or are unsure if this is correct, please report it using the Report Phish button and our analysts will investigate it. I forgot Twilio lets you download PCAPs of calls. I grabbed one at random: P-Asserted-Identity: <sip:[email protected]:5060<http://sip:[email protected]:5060>> SIP PAI Address: sip:[email protected]:5060<http://sip:[email protected]:5060> SIP PAI User Part: +14632018300 E.164 number (MSISDN): 14632018300 SIP PAI Host Part: 206.147.72.38 SIP PAI Host Port: 5060 -A On Wed, Mar 18, 2026 at 8:44 AM Aaron C. de Bruyn <[email protected]<mailto:[email protected]>> wrote: I did NOT know that. :) I'm not a telco or service provider. Just part of a company that's unfortunate enough to help a handful of customers manage their own internal Asterisk or FreePBX systems. Most of my customers use Twilio upstream. I don't think Twilio logs that header, and I don't see anything like it in the Asterisk logs. (Not sure if it even gets passed to us or if it just doesn't logs it.) -A On Wed, Mar 18, 2026 at 8:36 AM Mark R Lindsey <[email protected]<mailto:[email protected]>> wrote: So...did you get any Identity headers? A traceback with ITG, or maybe an Identity header, is your only hope for tracing the origin. I'm including the below, not to say that you, Aaron, don't know this, but just in case it's valuable to anyone else reading: In the case of your first number, it belongs to a thousand block assigned initially to Bandwidth.com<http://Bandwidth.com>...but that's not even meaningful for routing a call to them today. You'd have to do an LRN lookup to find out how to deliver a call back to the legitimate owner of this number. I did an LRN lookup for that first one, and it's currently ported to Onvoy, one of the brands of Sinch. But again, that only tells us how to get a call TO that legitimate owner. What you want to know is how they're sending calls to you. And if you're getting an Identity header it would be at least interesting. Failing that, you can file a report with the Industry Traceback Group to report illegal calls: https://tracebacks.org/traceback-requests/ Mark R Lindsey | +1-229-316-0013 | [email protected]<mailto:[email protected]> | LinkedIn<https://www.linkedin.com/in/markrlindsey/> On Mar 18, 2026, at 11:22, Aaron C. de Bruyn via VoiceOps <[email protected]<mailto:[email protected]>> wrote: A bunch of numbers out of Indiana have been spamming my customers for about a week. Most are automated recordings about how your Google business listing is wrong and needs to be fixed so customers can find you. Sometimes it's a human prefixed by the telltale "BWOOP" sound. +14632000068 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632001925 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632004002 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632005772 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632006038 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632006422 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632006730 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632009587 - BANDWIDTH.COM<http://bandwidth.com/> CLEC LLC IN +14632018300 - BHN IP ENABLED SERVICES LLC +14632018413 - BHN IP ENABLED SERVICES LLC +14632018586 - BHN IP ENABLED SERVICES LLC +14632018682 - BHN IP ENABLED SERVICES LLC +14632027042 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027073 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027200 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027252 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027397 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027539 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027678 - LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632027899 -LEVEL 3 COMMUNICATIONS LLC IN (Lumen) +14632030946 - METROPCS INC (T-Mobile US) Kinda hard to believe the big boys haven't caught this abuse of their network yet. I tried reporting the numbers to bandwidth.com<http://bandwidth.com/> (as ID'd by telcodata.us<http://telcodata.us/>), but their form only allows for a single entry at a time, and it says most of the numbers don't belong to them. Either their form is broken or telcodata.us<http://telcodata.us/> is out of date. I can't find a reporting for Level3/Lumen. They seem to be geared towards "I'm a customer and need help figuring out the star code to block calls". -A _______________________________________________ VoiceOps mailing list -- [email protected]<mailto:[email protected]> https://lists.voiceops.org/postorius/lists/voiceops.voiceops.org/ To unsubscribe send an email to [email protected]<mailto:[email protected]> NOTICE: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. Unless stated to the contrary, any opinions or comments are personal to the writer and do not represent the official view of GTT Communications Inc or any of its affiliates. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. All quotes, offers, proposals and any other information in the body of this email is subject to, and limited by, the terms and conditions, signed service agreement and/or statement of work
_______________________________________________ VoiceOps mailing list -- [email protected] https://lists.voiceops.org/postorius/lists/voiceops.voiceops.org/ To unsubscribe send an email to [email protected]
