The Curious Case of the Spurious CLI

Here's a bit of an odd one. And it's rather dull, if you're not interested in telephony and calling line identifiers. And probably dull even if you are.

A call from 0330 001 XXXX

The background is that I received a call today, from DHL. At least, claiming to be from DHL. I was sceptical. But anyway.

A call, from DHL, showing a CLI of 0330 001 XXXX. Nothing particularly strange there, as that is a valid number under the UK's national telephone numbering plan.

According to Ofcom's numbering allocation register, that range is allocated to "WAVECREST NETWORKS LIMITED".

The call came to me over SIP, and it was a call to one of the numbers for which I record calls.

And, after the call wrapped up, the recording landed in my inbox.

Or was it from +1441494576XXX?

Here's the odd bit: the calling line identifier did not show 0330 001 XXXX. It showed a completely different number, +1441494576XXX.

That is not a valid CLI, and should not have been allowed to leave the originating network. Ofcom GC C6.6 says:

Where technically feasible, Regulated Providers must: (a) take all reasonable steps to identify calls, other than calls to Emergency Organisations, in relation to which invalid or non-diallable CLI Data is provided; and (b) prevent those calls from being connected to the called party, where such calls are identified.

Perhaps preventing that call from leaving the network was not technically feasible.

But if you dropped the first "1", you do get a valid CLI, +441494576XXX. That number range is allocated by Ofcom to Verizon.

The area code "01494" includes the address of the premises purportedly being used by DHL in connection with the call. So it does, sort of, stack up.

But from where did the number shown on my phone, 0330 001 XXXX, come from?

So where did the 0330 001 XXXX number come from?

I checked with my carrier, A&A, in case it was a bug their end, and they confirmed that "From" field in the SIP INVITE contained only the invalid +1441494576XXX CLI.

There's no sign of CLI which showed up on my phone, 0330 001 XXXX.

I missed the opportunity to grab the logs from my own PBX, so I can only speculate, but I doubt they'd have shown anything useful, since there's nothing in the traffic from the carrier to my own PBX.

It seemed unlikely that 0330 001 XXXX is the presentation number, and +144149457XXXX is the underlying network number, which was somehow being leaked, because:

  • +144149457XXXX is not valid as a network number.
  • 0330 001 XXXX does not appear in the SIP headers that I've been able to see. I'm not aware of a way of sending presentation CLI via SIP where it would not be visible in the headers, which contain the session signalling.

Perhaps Android, the OS on which my phone runs, "makes up" a presentation CLI, if it receives invalid CLI? (Why would it? Why not just show the invalid CLI, since it has got that far?)

Could be another CP? I answered the call on my mobile, and the call route was from my carrier, to my PBX, which originates a call via a SIP trunk (with a different provider) to my mobile.

In other words, it is not being answered by me on a SIP endpoint, but as a "normal cellular" call.

So it's possible that the mobile provider was doing something with the invalid CLI it was receiving (in this call leg, from my PBX, which was passing through the CLI received from my carrier), but not presenting it to me, and showing something else instead.

That seems more plausible than it being an Android thing, but still seems rather odd...

Calling myself with invalid CLI

At this point, I needed to do some testing.

I phoned myself, deliberately setting an invalid calling line identifier. I used the same CLI as had been present in the SIP traffic to me, the +1441494576XXX.

And what did my phone show?

Well not the same 0330 001 XXXX CLI. Not exactly the same, at least. But it was another CLI in the 0330 001 XXXX range (i.e. the last four digits were different).

So it is, at least, repeatable.

But is it my mobile carrier?

I ran another test, still setting an invalid CLI for the outbound call, but I rang a number which only has a SIP endpoint. No mobile carrier involved.

Invalid CLI sent, and the number which showed on all the SIP clients which rang? Yet another number in the 0330 001 XXXX range.

I am confident we can rule out the mobile carrier, as they were not involved in this leg.

And we can rule out Android, as the 0330 001 XXXX showed in another SIP client, not on Android.

So, at this stage, I guess it must be:

  • my PBX
  • one of my SIP trunk providers
  • the entity hosting the number which I am calling

Time for another test call, while I'm watching the SIP logs on my PBX.

This time, I can see that the call is being sent from my PBX with the correct (albeit intentionally invalid) CLI. The SIP INVITE shows:

f: sip:144149457XXXX@firebrick.neilzone.co.uk;tag=2022011716482800001

This traffic is going out over a SIP trunk provider, to A&A (from which I'm renting the number which I am calling for this test), and back into my PBX.

I can then see the traffic coming back in from A&A, and we're back to the 0330 001 XXXX CLI.

From: "033 00 01XXXX" sip:+44330001XXXX@voiceless.aa.net.uk>;tag=2022011716483000001

I can disprove A&A's involvement, since the traffic is coming in to them from 0330 001 XXXX. We tested this (thank you, Adrian) with three different carriers, and all showed the traffic coming in to A&A as coming from 0330 001 XXXX.

We also tested one carrier going direct to Adrian (no A&A involvement), and that showed 0330 001 XXXX too.

Which I guess leave us with the other SIP trunk provider, or something in their upstream network, replacing an invalid CLI with one in the 033 00 01XXXX range.

Weirdness, but that seems like the most likely explanation.

(As always, thanks Adrian and AAISP for your help in getting to the bottom (I think?) of this one.)


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.

You can find me (and follow me) on Mastodon and Twitter.