"spoofed" calls rejected by T-Mobile

I have two users who insist on having their primary numbers with a major US cellular carrier. Mainly, because VoIP numbers are not accepted for 2FA by various companies, but also as a backup in case of PBX, power, or ISP connection failure. They are presently with T-Mobile.

They make most calls from their deskphones, presently via Telnyx, who sends the mobile number as a ‘verified’ caller ID. Incoming calls are forwarded to the main company number; FreePBX sees the Diversion header and routes to the proper deskphone.

The problem is that all calls to T-Mobile numbers are being rejected with a 603 Decline. I believe that when T-Mo sees a T-Mo caller ID, but the call arrives from another network, the call is rejected. As a temporary mitigation, we fallback to a route that sends a different caller ID belonging to the user. Unfortunately, this results in some calls going unanswered.

I suspect that this may be related to the B attestation sent by Telnyx for a number that was not purchased from them. Unfortunately, the other trunking providers to which I have access do the same thing. Can you recommend a provider who will send an A attestation for ‘verified’ numbers?

Testing showed that this is not an issue with AT&T or Verizon. For example, I can spoof a VZW number and call a different VZW number with no trouble. So, porting the numbers from T-Mo to another carrier (or an MVNO using another carrier) would solve the problem for now. However, I’m concerned that the fix won’t last, as the other carriers may adopt the same check. With this approach, I’m tempted to port to US Mobile, as I can then change carriers for two bucks and no hassle. Possibly, their networking will avoid the issue altogether.

Another option is an MVNO that supports making and receiving calls via SIP. Can you recommend one? Most, e.g., Vitelity, seem to have dropped this feature.

Are you aware of any mobile SIP app that functions as a trunk, rather than an extension? Received RTP would be sent over the cellular voice path, rather than to the speaker, and audio from the cellular voice path (rather than the microphone) would be sent out as RTP.

Chan_mobile might be a possibility, but I would need multiple Bluetooth interfaces in different rooms, somehow all networked to Asterisk.

Or, something I haven’t thought of.

Sorry if this is obvious, but have you tried sending in e164 format, with and without the + to see if it makes any difference?

Are you sure that attestation level matters? It seems to me that T Mobile may simply reject anything purporting to be from their network that arrives from outside. If anything, I would have though they would be more likely to accept a B attestation, than an A.

Thanks for the suggestion. I’m pretty sure that Telnyx (like most providers) normalizes the caller ID before sending to their upstream, though I believe that Voxbeam doesn’t; on an unrelated ticket they suggested trying various formats. Unfortunately, in this case, no workie.

Not at all; it is just a guess, but one that should be easy to test, if I only knew who would send an A for a verified number. It annoys me that all my trunks are sending B. I know almost nothing about enterprise systems, but am reasonably certain that most have redundant carriers for outbound calls and expect A attestation from the failover carrier (who is not providing the calling number). I am hoping that some member of this forum knows how to do that.

Have you looked at Twilio? I’ve found their services useful for many applications. From SMS to DID to SIP trunking to video to IVR. It’s really flexible and might fit the bill for this use case. DID numbers can be configured to send voice calls to SIP trunking, while handling SMS separately. They definitely support MFA for various use cases. You can setup a free trial I believe to test things out.

That’s because they either use a carrier that let them supply verified numbers or they get their own Delegated Cert, which is what call centers do.

However, Telnyx allows you to verify numbers with them and once you prove ownership they will give it an A attestation. So have you verified the number with Telnyx?

Unfortunately, not the case. My verified number gets a B and I’ve opened a couple of tickets and was told that I’m SOL – they give A only for numbers purchased from them.

However, I found that VoIP.ms gives A on verified numbers. But as @david55 opined, no cigar.

Next step is to port to US Mobile, unless one of you know a good way to send calls through the cell phone (without the chan_mobile limitations).

This seems like a big workaround instead of simply porting their published numbers to Telnyx.

Then get them new numbers for their T-Mobile phones and re-register the 2fa. (Note: sms 2fa is becoming considered a bad practice and OTP authenticators are preferred.) Why would it matter to have 2fa pointing to published business numbers?

If they want to use their cell phones for calling out and display their business number, a SIP softphone or even a DISA would do the trick.

That’s exactly what we had before switching to the current system.
Three kinds of problems:

Companies expect you to either have one (mobile) phone number, or a home phone (not SMS capable) and a mobile. So when your doctor’s office calls, it goes to the mobile; with considerable hassle you can get them to call the VoIP number. With the bank, fat chance. If they call about a potentially fraudulent charge, it comes to the mobile, like it or not.

Until very recently (after the switch), although Groundwire calls would show up on the car screen with correct caller ID, the green answer button was non-functional, as was the steering wheel button. You could answer from the smartphone and Bluetooth audio would then work, but keeping the phone in a dashboard holder is a hassle and likely in violation of Nevada hands-free law.

Outbound calls are even worse. You can’t return a call from the history on the car screen, neither by Groundwire nor by DISA “calling card app”. Nor can you push the steering wheel button and say “Call John Doe” (in your Contacts) or “Call 12125551212” and get the call to go out via Groundwire or calling card app.

True, but we are trying to automate various tasks that invove 2FA and that would be a steep learning curve for me, as I have no expertise in that domain. With SMS, a simple Tasker script forwards the messages to a specific email address.

This pretty much is the workaround it seems, right? One of our company execs is out of the office a lot. And didn’t want to miss out on important calls to his desk phone. SIP softphone allows him to register his extension when he wants to on his cell. He can directly make/take calls using his extension. Otherwise his cell number is doing its thing. And his mobile can be used for MFA for whatever service is requesting it. Be it SMS or a OTP app.

If a user requested a mobile carrier’s number be set as their primary number in my world, I would point them to an alternative. As was suggested.

Can he do this from car screen or steering wheel?
If so, I’m quite impressed as I’ve fought this for a long time. What are make/model of softphone, smartphone and car? Any supplementary apps needed?

I’m not sure if he manages the SIP softphone while in the middle of driving. There are rabbit holes that can be dug into to whatever level is reasonable. I recall jailbreaking my nav touchscreen to add apps like YouTube and whatnot. Since at the end of the day, it’s usually a glorified Android tablet. Depends on what depths you want or need to go to I suppose.

If the whole car scenario is more geared toward inbound calls to him, configure FreePBX FM/FM to hit his mobile number if his extension doesn’t pick up an inbound call. He can pick up the call like any other one to his cell phone that’s paired with his car.

This is tough to impossible to do well.

1. We want to preserve the number of the original caller. Most trunking providers don’t allow that; we can route the forward via e.g., AnveoDirect or Voxbeam who will accept arbitrary caller IDs, but then the car may display “scam likely” or similar and the driver will have to recognize the number to know to answer.
2. We want to preserve the voice quality of the original call. Unfortunately, in the US only a few trunking providers offer wideband “HD voice” calls, but I don’t know of any that also pass arbitrary caller IDs.
3. If the driver is dealing with a tricky traffic situation when the call comes in, he will of course not answer, but later wants to return the call. If he just taps the missed call notification on the car screen and taps call, the call will go out as a normal cellular voice call, revealing the user’s personal number and may result in the call being unanswered. I don’t know how to send this call via DISA or SIP app.

The user doesn’t care about any of these details. He just says “Make it work the same as when I’m in the office.”

Without being presumptuous, I’m guessing the user is a executive employee. CEO or private company owner, right? I’ve had to deal with these situations going back 25+ years with the same company. Lots of requests for seemingly simple solutions that inevitably wind up being a rabbit hole.

If it were me, I’d just suggest two cell phones. Personal and business. Business cell phone is for just that. That DID number with the mobile carrier appears on their business cards and whatnot. And an executive-level employee isn’t sitting on a physical desk phone for their entire work life like a call center agent. They are mobile. The business cell phone can even be enrolled in MDM, so supporting the exec when they are away from their desk is a lot easier.

There is always this company that allows you to associate a cell phone as an actual extension on the PBX. With dual SIM, its pretty easy to set up and use. I believe this runs on the T-Mobile network.

See https://www.gtiglobalwireless.com/index.php/mobile-comm/