The call is rejected if @from.uri cannot be looked up during

non-register authentication.

It is not enough to check whether $fu.uid != $fr.uid, because
the expression is true only if both AVPs exist, and their values
are not equal. If one (or both) of the AVPs is missing, the expression
is false. (strange behaviour of not equal operator with AVPs)

etc/ser-oob.cfg

@@ -889,7 +889,8 @@ route[AUTHENTICATION]
 
 	# check if the UID from the authentication matches the From header
 	if (!lookup_user("$fr.uid", "@from.uri")) {
-		del_attr("$uid");
+		sl_reply("403", "Fake Identity");
+		drop;
 	}
 	if ($fu.uid != $fr.uid) {
 		sl_reply("403", "Fake Identity");