What "spoofing" actually means
Setting the From and P-Asserted-Identity headers on an outbound INVITE to a number other than the trunk's default DID. Every PBX in the world supports it. Whether the destination carrier honors it is a separate question.
Legal in most jurisdictions when:
- You own the number you're presenting, OR
- You have written permission from the number's owner, OR
- You're conducting an authorized pen-test under contract.
Illegal when:
- You're concealing identity with intent to defraud (US TRACED Act, UK Ofcom rules, EU EECC Art. 97).
- You're impersonating a government agency, bank, or emergency service.
How to set it
Asterisk:
exten => _X.,1,Set(CALLERID(num)=15551234567)
same => n,Set(CALLERID(name)=Acme Support)
same => n,Dial(PJSIP/${EXTEN}@noncli-trunk,60)
FreeSWITCH:
<action application="set" data="effective_caller_id_number=15551234567"/>
<action application="set" data="effective_caller_id_name=Acme"/>
<action application="bridge" data="sofia/gateway/noncli/$1"/>
STIR/SHAKEN
In the US and Canada, calls without a valid attestation are increasingly marked "Spam Likely" or blocked. If you need US CLI to land clean, order a CLI route — we sign attestations through upstream OCNs. Non-CLI routes do not attest.
Per-call rotation
For outbound campaigns, rotate the presented CLI across a pool of numbers you own — repeated identical CLIs at high CPS trigger carrier-side fraud filters.