Represents automated SIP reconnaissance activity characterized by multiple unauthenticated SIP methods (such as REGISTER and INVITE) issued using bot-like Call-ID formats. This behavior indicates an attempt to enumerate valid SIP users, extensions, or call routing behavior by systematically probing a SIP service without establishing legitimate registration or dialog context. The use of a numeric-only, hyphen-delimited Call-ID format across different SIP methods strongly suggests an automated scanner or fraud bot rather than a legitimate user agent.

Automated SIP OPTIONS requests used to validate reachable VoIP endpoints and enumerate service capabilities without initiating a call session. The client sends standalone OPTIONS probes with high-entropy or unusually long Call-ID values, a pattern commonly associated with scripted scanning frameworks or VoIP reconnaissance tooling. Such activity is typically observed during infrastructure discovery phases where attackers identify responsive SIP servers, supported methods, and potential targets for toll fraud, brute-force registration attempts, or later exploitation campaigns.