Comment by dilyevsky
IMS is just SIP core + bunch of gateways + integration with base LTE infra (eNodeB, PCRF, etc) so "signaling messages" are just SIP messages. So depending on whether those compromising headers were included on things like SIP 180 Ringing messages and such it may not be enough to not answer the calls. Source: actually worked on deploying IMS at a telco (not this one)
The headers are included in every single downlink message after initiating a call, including the downlink SIP Invite message before 100 Trying, 180 Ringing or 183 Session Progress.
If you're quick enough (or automate this with dedicated software, like an attacker might actually do), it won't even need to ring out. It's really not good.