SMS bombing is illegal in India. Here’s what actually happens — and what to do instead.
An SMS bomber sends dozens or hundreds of unsolicited messages to a single Indian mobile number in a short burst. It is prosecuted under the IT Act, violates TRAI’s TCCCPR 2018, and now also falls under the DPDPA 2023. This page explains the law, the real consequences, and the legitimate path if you genuinely need to send high-volume SMS.
How an SMS bomber UI works (demo only — sends nothing).
A faithful reproduction of the typical interface so you can see exactly what these tools do, with a built-in counter, schedule list and a Protect Number block-list. Every action runs locally in your browser; no SMS is ever transmitted from this page.
No SMS will be sent. This widget animates a counter to demonstrate the UX of an SMS bomber. SMSLocal does not transmit any message from this page. Real SMS bombing is illegal in India under the IT Act, TRAI TCCCPR 2018, and DPDPA 2023 — see the sections below.
What is an SMS bomber?
Plain English, no euphemisms.
An SMS bomber is a script or web tool that triggers dozens to thousands of SMS from public sign-up forms, OTP endpoints, or low-cost gateways — all aimed at a single target mobile number. The intent is to overwhelm the recipient so they cannot see legitimate messages (such as banking OTPs or work notifications).
In India, SMS bombing is not a grey area. Even when the sender uses public forms (where each message is technically a separate legitimate SMS), coordinating them at a single target constitutes harassment, commercial-messaging violation, and unlawful personal-data processing under three separate laws.
SMSLocal does not provide a bomber tool and never will. This page exists because the term is searched often, and the honest answer deserves to rank — not the tools themselves.
Three frameworks that make SMS bombing illegal.
All three apply in parallel — you do not get to pick one.
IT Act, 2000 — Section 66 / 66A legacy
Sending messages that cause annoyance, inconvenience, danger, obstruction, insult, or intimidation through a communication service is a punishable offence. Section 66A was struck down in 2015, but the broader IT Act, along with Sections 354D (cyber-stalking) and 507 of the IPC (criminal intimidation), still apply — with imprisonment up to three years and a fine.
TRAI TCCCPR, 2018 (Telecom Commercial Communications)
Bulk commercial communications must flow through a registered DLT Principal Entity, use an approved Header (Sender ID) and an approved Template. SMS bombers bypass all three. Operators are mandated to trace abuse and suspend the originating service, and complaint workflows (1909, DND Registry) feed into the same trace path.
DPDPA, 2023 (Digital Personal Data Protection Act)
Processing a person’s phone number to send unwanted messages — especially at scale — constitutes unlawful processing of personal data without consent. Penalties under the DPDPA can run into several crores of rupees for the entity responsible.
What actually happens to senders.
Not hypothetical. These are the standard enforcement paths operators and the Cyber Cell use every day.
Your SIM / number gets blocked
Operators trace high-frequency outbound traffic from personal SIMs and suspend service without warning. The ban usually applies to the SIM and the KYC-linked Aadhaar, meaning new SIMs in your name get flagged too.
Criminal complaint under the IT Act / IPC
The recipient can — and increasingly does — file a complaint with the local Cyber Cell. Police obtain the trace from the operator in hours, not days, because the target number and timestamps are in the complaint itself.
Permanent Header / Entity blacklist
For businesses: a DLT Header used for bombing gets blacklisted across all operators. Your Principal Entity registration can be revoked, which kills your ability to send any transactional SMS — including OTPs — across India.
Civil damages under the DPDPA
If the affected user files a complaint with the Data Protection Board, the penalty for unlawful processing of personal data can be assessed up to ₹250 crore. There is no small-sender carve-out.
Four common reasons — and the legitimate answer for each.
“I need to test what happens when my app sends a lot of SMS.”
Use our sandbox. SMSLocal provides free test numbers that return real delivery receipts without actually billing or touching a live subscriber. You can simulate burst traffic, retry storms, and failed routes safely.
Explore SMS API“I want to prank a friend.”
This is the textbook case under Section 507 of the IPC (criminal intimidation via anonymous communication) and the broader IT Act. It is not a grey area. Send them a meme on WhatsApp instead.
“I need to send bulk SMS for my class / event / office.”
That is exactly what DLT-registered Bulk SMS is designed for. You get an approved Sender ID, approved templates, per-recipient delivery receipts, and pay-as-you-go pricing starting at ₹0.1050 / SMS — fully legal, fully auditable.
See Bulk SMS“I want to teach myself the SMS protocol.”
Read the SMPP specification, run SMPPSim locally, and use our developer sandbox for end-to-end tests on a real gateway — none of which involves sending unwanted messages to real people.
Read the docsWhat to do if your number is being SMS-bombed.
- 01Don’t reply. Replies confirm the number is active and in use, which is what the bomber is checking for.
- 02Capture evidence. Screenshot the flood — full screens showing the sender IDs, timestamps, and your own clock/battery for context. Export SMS logs if your phone supports it.
- 03File a cybercrime complaint. Go to cybercrime.gov.in and file under the “Report Other Cybercrimes” flow. Attach your screenshots. You will get a complaint reference number you can track.
- 04Notify your operator. Send the complaint reference to your mobile operator’s customer care and ask for CLI barring or enhanced anti-spam on your line. For DND violations specifically, complain via SMS to 1909 with the offending sender ID, date and time.
- 05Rotate OTPs during the attack. If the flood is hiding a real attack (e.g. credential stuffing triggering OTPs), disable SMS 2FA temporarily, switch to an authenticator app, and review bank / email login alerts for the last 24 hours.
Frequently asked questions.
Is using an SMS bomber illegal in India?+
Yes. It violates the IT Act (Sections 66 / 43 and adjacent IPC sections on intimidation), TRAI’s TCCCPR 2018 (unregistered commercial messaging), and the DPDPA 2023 (unlawful processing of a person’s contact data). Both the sender and any service hosting the bomber are liable.
Will the victim be able to trace me?+
In practice, yes. Operators are required by TRAI to retain CDRs and trace complaints. If the recipient files a 1909 / Cyber Cell complaint, the source number — and therefore the Aadhaar KYC attached to it — is almost always identified.
My number is being SMS-bombed — what do I do?+
Screenshot the messages, note the exact timestamps, and file a complaint at cybercrime.gov.in. File a parallel complaint with your operator (via 1909 for DND violations, or customer care for harassment). Do not reply — replies confirm the number is active.
What if the bomber uses international numbers?+
International origination that terminates on an Indian subscriber still falls under the IT Act and TRAI rules. Operators use ILDO-level filters to drop suspect patterns and law enforcement has active MLATs for serious cases.
Does SMSLocal offer an SMS bomber?+
No — and we never will. SMSLocal exists to send legitimate, consented messages for Indian businesses. Any account attempting abuse is terminated immediately and the trace data is shared with operators and, where required, law enforcement.
What’s the legitimate way to send high-volume SMS?+
Register a Principal Entity on any operator DLT (Jio / Airtel / Vi / BSNL), get a 6-character Sender ID approved, register your message templates, and route through a registered aggregator like SMSLocal. Full walkthrough in our DLT Registration Guide.
SMS bomber vs. SMSLocal Bulk SMS.
- Illegal under the IT Act, TRAI TCCCPR 2018 and DPDPA 2023.
- SIM / Aadhaar-KYC gets blacklisted by operators within hours.
- Traceable — CDRs are retained and Cyber Cell complaints are fast-tracked.
- Unreliable — most OTP endpoints now rate-limit and fingerprint requesters.
- No delivery reports, no compliance trail, no legitimate use case.
- DLT-registered, TRAI-compliant — every send is auditable.
- Send 1M+ messages in minutes with approved Sender IDs and templates.
- Per-recipient delivery receipts via webhook or dashboard.
- Pay-as-you-go starting at ₹0.1050 / SMS — ₹60 free on signup.
- Legal, scalable, and the only path that works at enterprise scale.
Send bulk SMS the right way.
DLT-registered infrastructure, ₹60 in free credits, and a team that has onboarded over 30,000 Indian businesses on compliant messaging.