CQ-Contest
[Top] [All Lists]

[CQ-Contest] self spotting abuses in WPX CW

Subject: [CQ-Contest] self spotting abuses in WPX CW
From: ah3c@frii.com (Peter Grillo, Sr.)
Date: Mon May 26 07:34:41 2003
Dave -

Thanks for opening a window into the technical world and mystery of
spotting.  I back off from mystery, but radio is magic.  Magic is fun.  So,
who knows, you might hear me in contests from my home QTH this fall for the
first time .  My call sign will never be spotted from my QTH.  Just RF!!!

The radio shack is built.  Now comes the tower and antenna work.....

73,
Pete
W0RTT, ex-AH3C, etc.

.  ----- Original Message -----
From: "David Robbins K1TTT" <k1ttt@arrl.net>
To: "reflector cq-contest" <CQ-Contest@contesting.com>
Sent: Sunday, May 25, 2003 2:15 PM
Subject: [CQ-Contest] self spotting abuses in WPX CW


> This is long.  It contains lots of data.  It will be controversial.  I
> am presenting lots of observations that may have other explanations.
> Blame it on a rainy weekend with a s/o guest op.
>
> All that said, I think it is time to reveal some of the 'secrets' of the
> current internet linked dx spotting network.  In particular where it
> comes to tracking apparent self spotting during contests.  Note, that
> some of this type of data has been provided to contest sponsors for the
> last couple years in various contests... I don't know what they have
> done with it for sure as I haven't gone back and matched up my
> suspicions with the final published results.  But I do think that
> putting some more of it out in the open may make some of the abusers
> think twice about trying it in the future... of course it may just make
> them smarter and trickier, but then again the capabilities of the
> network are growing regularly also.
>
> You may have seen some of this type of data after some contests in the
> past, and some of the people who have published it have come under
> personal attack, including threats of violence... it is amazing in my
> view that a hobby such as this can come to such extremes that people
> want to cheat the system to do better, and then when they are caught try
> to hide the facts or become abusive.
>
> First some technical background.  Every time you connect to a computer
> on the internet the computer you connect to gets your IP address.  This
> is the 4 number address like 127.0.0.1 that you may have seen in various
> places while setting up your computer.  The exchange of IP addresses is
> part of the communications protocol and you can not make a connection
> without giving the other computer your address.  Every computer on the
> internet has one of these addresses, and every one is unique... There
> are some networks that group a bunch of machines behind one IP address,
> but these are generally small and the internet visible IP address is
> still unique.  There are also some rf gateways that use one IP address
> for all the users, but again, the internet IP address is still unique
> for that gateway.  It is also possible to trace IP addresses back to
> their source.  It is not always possible to get to the originating
> machine, but normally the ISP or last major network hub can be
> identified.  Even on dialup networks that assign IP addresses
> dynamically each time you connect there are traces and at least the ISP
> and often the area of a city can be identified.  When tracing IP
> addresses you can translate the numbers back into the domain names, like
> how 140.186.101.248=>k1ttt.net.  Usually these names mean something to
> someone, often abbreviations for city or country names are included in
> routers to make them easier to locate.  Many routers outside the U.S.
> include either a company name or country telecom authority name.  But
> for this analysis the important thing is that IP addresses are unique to
> one machine or one gateway on the internet.
>
> Next, the network problem.  There are probably 3 major ways to get spots
> into the network these days.  First are users who connect via rf to a
> cluster node.  This is a rapidly dwindling group and doesn't seem to be
> a problem, or at least not a big one as local sysops can monitor these
> fairly easily and spot strange connections.  Second are the 'telnet'
> cluster nodes.  AR-Cluster, CLX, DXSpider, etc, are common software
> packages that run these nodes.  These are the source of reports you may
> have seen in the past.  All these node can record a log of ip addresses
> used to connect to them along with callsigns and the spots entered...
> details of how long the data is kept and the ways to save and extract it
> vary, but they can all do it.  The third major source is
> www.dxsummit.com.  This is a very popular web based site that allows
> users to put in dx spots from a web page interface.  Through various
> mechanisms these spots are then sent out onto the cluster network for
> distribution to the rest of the world.
>
> In the past there were several pattern based approaches to spotting self
> spotting abuses during contests.  These abusers were first noticed when
> a user on the cluster network noticed a spot come out under his call
> that he didn't put out.  Further research revealed that several stations
> who were being spotted frequently were being spotted by calls that
> didn't exist, calls who had never made another spot on the network,
> calls who only spotted them but no one else, and a couple other odd
> things.   Or the spots had obvious patterns like all exactly on the same
> frequency, all the comments were the same, they were spotted immediately
> after a frequency or band change, or spots came from stations that
> shouldn't have propagation at the time.  Most of these would be
> considered circumstantial evidence, though in some cases it was so
> obvious over the period of a contest that it could not be ignored.
>
> By manually tracing spots back to their originating cluster nodes it was
> possible in some cases to get IP addresses and trace them.  Every
> internet node can record a log of ip address vs callsign, not all of
> them keep the data for long and some sysops don't know how to enable it
> or extract the data, but on the popular nodes it is usually fairly easy
> to get the data.  In most of the suspect cases the IP addresses came
> back to the country of the station that was being spotted.  In some
> cases dozens of callsigns were being used from one IP address to login
> to a cluster node, make a spot for one station, then disconnect.  By
> using some simple database tools it is now possible to correlate
> callsigns to IP addresses and in one easy step come up with a list of
> suspicious user calls.  It is then easy to find dx spots that have
> originated from those user calls and spot the obvious patterns... here
> is a sample of the first 36 hours or so of the 2003 WPX CW test results
> from data on just my node:
>
> In each of the groups below there is the IP address followed by the
> callsign used to login to the node.  Each of these is followed by the dx
> spots that were made by that call during the contest.  The last entry in
> each group is the location where the trace of that IP address ended
> up(not necessarily the machine itself, but an indication of where the
> connection was from as I noted above).
>
> ========================================================================
> ==
> 193.248.78.117 N3RF
>     7003.6  TO5AA       24-May-2003 0146Z  FM5
> 193.248.78.117 RW3QC
>    14006.0  TO5AA       23-May-2003 0109Z  FM5
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> 80.9.204.183 RA3WFS
>     7026.2  TO5AA       24-May-2003 2242Z  FM5
>    14030.7  TO5AA       24-May-2003 2151Z  FM5
> 80.9.204.183 W4BFB
>    21027.0  TO5AA       25-May-2003 1219Z  from FM5
>    14030.0  TO5AA       25-May-2003 0519Z
>     7006.7  TO5AA       25-May-2003 0431Z
>     7025.0  TO5AA       25-May-2003 0039Z
>    21030.6  TO5AA       24-May-2003 1657Z
>    28029.0  TO5AA       24-May-2003 1615Z
>    28029.0  TO5AA       24-May-2003 1614Z  FM5
> nslam106.francetelecom.net
>
> 193.248.78.179 K3LSX
>     no spots???
> 193.248.78.179 RK3QWA
>    21032.6  TO5AA       24-May-2003 1325Z
>    21032.5  TO5AA       24-May-2003 1216Z
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 195.5.3.203 DS2BGN
>    21033.6  UU7J        24-May-2003 0433Z
> 195.5.3.203 JA1FDG
>    21060.3  UU7J        24-May-2003 0815Z  TEST
> 195.5.3.203 JA2SZC
>    21037.1  UU7J        24-May-2003 0605Z
> 195.5.3.203 JH2NWP
>    14056.3  UU7         24-May-2003 1434Z
> 195.5.3.203 PY5CC
>    14052.2  PT5A        25-May-2003 0044Z  WPX contest
>     7051.6  UU7J        25-May-2003 0018Z
>    28023.0  ZW5B        24-May-2003 2334Z
>    21031.0  PR0F        24-May-2003 2203Z  WPX Fernando de Noronha
> ukrtel-gw.rascom.ru
>
> ========================================================================
> ==
> 213.235.179.18 OK1FJD
>     7019.0  OL3A        25-May-2003 0458Z
>    14037.4  N2MM        24-May-2003 1232Z
>    21039.4  OL3A        24-May-2003 1211Z
>    21007.0  SU9NC       24-May-2003 1211Z
>    21039.0  OL3A        24-May-2003 1100Z
>    21028.0  8P1A        24-May-2003 1100Z
>    21013.2  P41P        24-May-2003 1058Z
>    21066.9  OH3OJ       24-May-2003 0746Z
>    21028.0  OL3A        24-May-2003 0745Z
> 213.235.179.18 UA3JDF
>    14052.0  OL3A        24-May-2003 0652Z
>    14052.0  OL3A        24-May-2003 0644Z
>    14038.8  OL3A        24-May-2003 0638Z
> 213.235.179.18 UA9FGY
>    14013.0  OD5/OK1MU   24-May-2003 0727Z
>    21027.0  OL3A        24-May-2003 0724Z
>    21027.0  OL3A        24-May-2003 0721Z
> 213.235.179.18 UA9II
>    21026.4  OL3A        24-May-2003 1022Z
>    21060.4  RO4M/6      24-May-2003 1019Z
>    14017.0  OL3A        24-May-2003 1019Z
> 213.235.179.18 UA9JFG
>    14017.0  OL3A        24-May-2003 1018Z
>    14017.4  OL3A        24-May-2003 0910Z
>    and other calls also
> 213.235.179.18 UA9JGF
>    21027.0  OL3A        24-May-2003 0713Z
>    14031.1  SV5/DJ5AA/P  24-May-2003 0703Z
>    14052.0  OL3A        24-May-2003 0656Z
> atm-2-0-69.Plzn-364.net.tiscali.cz
> ========================================================================
> ==
>
> Oh well, I probably just lost a few users of my node by publishing this
> information... but there are hundreds more real users out there anyway.
> Just remember, other nodes have this same capability... and any sysop
> who wants to either provide me with their database for analysis or who
> wants to know how to use MS-Access to do this is welcome to contact
> me... for other databases I could give you the SQL for the lookup but
> you would have to adjust it for your table and field names.
>
> In the past some of these would have slipped through the cracks because
> they made other spots so they would not have matched our pattern
> checking, but when correlating IP addresses directly there is much less
> doubt.  When we first did this correlation on the cluster nodes there
> were MANY more hits than this, obviously some cheaters have either quit
> or changed their tactics.  Hopefully this will get passed around again
> and discourage some more of them from doing this in the future.
>
> Also a problem in the past has been that spots fitting some of the
> patterns we were looking for were coming from www.dxsummit.com.  These
> were basically a dead end.  We could group them, count them, show that
> some of the calls being used were not active or had never entered
> another spot, but we could not trace them to an IP address.
>
> Now, on to the new stuff... But first a short story.  A couple months
> ago I was contacted by an agent of the U.S. Secret Service.  Someone had
> reported announcements made on the cluster network that contained
> comments like "death to bush" or some such threatening phrases.  Yes,
> they do take these things seriously!  These were traced through the
> network back to k1ttt-14 so I was contacted to see where they came from.
> K1ttt-14 happens to be my software that sucks dx spots from
> www.dxsummit.com via the #cqdx IRC channel and inserts them into the
> network for the rest of the world to see.  There are other gateways like
> this but mine seems to be the fastest so most of them from that site
> come out with my node as the source.  I have in the past tried to get
> access to the dxsummit IP address logs that their web pages said they
> kept but had not been successful, so I told the agent that the original
> source of those comments came from there, gave him the web and email
> addresses and left it at that... I have not heard back from him since.
> BUT, shortly after that I got an email from an operator of dxsummit
> telling me they had a new page that listed the ip addresses of all
> inputs to the web site... no explanation of why they added it, or why he
> was telling me specifically about it, but it is there.  And here for the
> first time is an analysis of that data.
>
> But first the standard disclaimer... there may be various explanations
> for some of these, common rf gateways, local friends making spots using
> their own calls, and possibly others... but if you compare where the ip
> address traces to with the callsigns that login there some of them are
> very odd.  And of course the decisions of the contest sponsors are final
> when it comes to judging contest logs.
>
> These are simpler to read since all the data is in one table... all I
> show is the IP address, the callsign put in at dxsummit(with the -@ that
> dxsummit adds) and the call that was spotted.  After each block of IP
> addresses is the end of the trace as described above:
>
> ========================================================================
> ==
> A busy group of spotters from around the world using this IP...
> 200.11.86.85 4Z5MU-@: D88S
> 200.11.86.85 DJ1ZU-@: D88S
> 200.11.86.85 DL2AN-@: D88S
> 200.11.86.85 EA2RC-@: D88S
> 200.11.86.85 ES5TV-@: D88S
> 200.11.86.85 F5BPK-@: D88S
> 200.11.86.85 F5UKL-@: D88S
> 200.11.86.85 G3IGZ-@: D88S
> 200.11.86.85 HA1CW-@: D88S
> 200.11.86.85 HA8KW-@: D88S
> 200.11.86.85 HG6N-@: D88S
> 200.11.86.85 HG9X-@: D88S
> 200.11.86.85 K5TTN-@: D88S
> 200.11.86.85 LY4CW-@: D88S
> 200.11.86.85 LZ2DL-@: D88S
> 200.11.86.85 N7IR-@: D88S
> 200.11.86.85 NG6O-@: D88S
> 200.11.86.85 OM5M-@: D88S
> 200.11.86.85 PT5A-@: D88S
> 200.11.86.85 RW3RN-@: D88S
> 200.11.86.85 SP5ELA-@: D88S
> 200.11.86.85 UU2JQ-@: D88S
> 200.11.86.85 W0GG-@: D88S
> 200.11.86.85 YT6A-@: D88S
> 200.11.86.85 YU1EQ-@: D88S
> traces to ac6.cnt.entelchile.net  then no response
> Sorry I don't read much Spanish, but http://www.entelchile.net/ appears
> to be a Chilean ISP site.
>
> ========================================================================
> ==
> 68.160.203.138 AK2P-@: W2/UR5DEM
> 68.160.203.138 I3HNS-@: W2/UR5DEM
> 68.160.203.138 OK3DS-@: W2/UR5DEM
> 68.160.203.138 PA0RDS-@: W2/UR5DEM
> 68.160.203.138 UX5WWL-@: W2/UR5DEM
> 68.160.203.138 YU2DG-@: W2/UR5DEM
> pool-68-160-203-138.ny325.east.verizon.net
>
> 68.161.84.221 DK2RF-@: W2/UR5DEM
> 68.161.84.221 PA0DXV-@: W2/UR5DEM
> pool-68-161-84-221.ny325.east.verizon.net
>
> 68.161.81.13 AK2P-@: W2/UR5DEM
> 68.161.81.13 DF0SF-@: W2/UR5DEM
> 68.161.81.13 F2RY-@: W2/UR5DEM
> 68.161.81.13 HA2DR-@: W2/UR5DEM
> 68.161.81.13 HA3SF-@: W2/UR5DEM
> 68.161.81.13 I4GTS-@: W2/UR5DEM
> 68.161.81.13 KC2LLM-@: W2/UR5DEM
> 68.161.81.13 PP2DX-@: W2/UR5DEM
> 68.161.81.13 WY6DX-@: W2/UR5DEM
> A3-0-0-1716.DSL-RTR4.NY325.verizon-gni.net
>
> ========================================================================
> ==
> The following group of to5aa spotters seems to have a lot of different
> ip's, though they all seem to trace back to something with "LeLamentin"
> which I believe is something in Martinique.
> 193.248.76.234 F6HEQ-@: TO5AA
> 193.248.76.234 FM5BH-@: TO5AA
> 193.248.76.234 FM5FJ-@: FM5/TO5AA
> traces to P0-0-0.nclam101.LeLamentin.francetelecom.net then no response
>
> 80.9.204.176 F6HEQ-@: TO5AA
> 80.9.204.176 F8AAN-@: TO5AA
> 80.9.204.176 FM5WD-@: TO5AA
> IPBRXNCLAM2.GW.opentransit.net (francetelecom.net doesn't show on this
> one but this same path led to 193.248.76.234 above)
>
> 80.9.204.110 F6HEQ-@: TO5AA
> 80.9.204.110 F8AAN-@: TO5AA
> 80.9.204.110 FM5DN-@: TO5AA
> 80.9.204.110 FM5DS-@: TO5AA
> P0-0-0.nclam102.LeLamentin.francetelecom.net
>
> 193.248.77.43 F6HEQ-@: TO5AA
> 193.248.77.43 F8AAN-@: TO5AA
> 193.248.77.43 FM5DN-@: TO5AA
> 193.248.77.43 FM5DS-@: TO5AA
> Mix-Le-Lamentin-101-2-43.w193-248.abo.wanadoo.fr
> (.fr is for france)
>
> 193.248.77.177 F6HEQ-@: TO5AA
> 193.248.77.177 FM5DN-@: TO5AA
> 193.248.77.177 FM5FJ-@: TO5AA
> nslam101.francetelecom.net
>
> remember, there were also users logged into my node that spotted to5aa:
> N3RF & RW3QC from P0-0-0.nclam101.LeLamentin.francetelecom.net
> W4BFB & RA3WFS from nslam106.francetelecom.net
> RK3QWA & K3LSX from P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 219.112.10.163 RN4WA-@: JM1TUY
> 219.112.10.163 VK2ASW-@: JM1TUY
> 219.112.10.163 W2QU-@: JM1TUY
> traces to ge-3-0-0.a08.tokyjp01.jp.ra.verio.net then only numbered
>
> ========================================================================
> ==
> local friends from the same gateways??
>
> 80.92.193.254 RW9AE-@: RA9JR
> 80.92.193.254 RX9JW-@: RA9JR
> 80.92.193.254 UA9JMB-@: RA9JR
> traces to neptune.helios-net.ru
>
> 195.42.147.217 UA9JMB-@: RA9JR
> 195.42.147.217 UN7FZ-@: RA9JR
> traces to gw-prime-arcon.arcon.ru then only numbered
>
> (.ru is for Russia)
> ========================================================================
> ==
> 193.111.10.205 DL8WN-@: EY3M
> 193.111.10.205 RA3OO-@: EY3M
> traces to babylon_t--satis-1-s0-2.telekom.ru then only numbered
> (.ru is for Russia)
> ========================================================================
> ==
> 195.239.235.42 RW4HW-@: RT4I
> 195.239.235.42 YL2KA-@: RT4I
> traces to volgogaz-gw.Samara.gldn.net then only numbered
>
> ========================================================================
> ==
> 213.190.40.247 JH2AMH-@: LY4CW
> 213.190.40.247 MM0BQS-@: LY4CW
> 213.190.40.247 PA3FNE-@: LY4CW
> 213.190.40.247 PP7CW-@: LY4CW
> 213.190.40.247 SP3PKL-@: LY4CW
> 213.190.40.247 UR4IYZ-@: LY4CW
> adsl-213-190-40-247.takas.lt
> DSL in Lithuania!  Wish I could get that here!
> (.lt is for Lithuania)
>
> ========================================================================
> ==
> 202.179.6.6 OH6FT-@: JT1CO
> 202.179.6.6 UR5ERW-@: JT1CO
> as5400.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> 202.179.4.56 DXER-@: 4W2DN  (DXER uncovered????)
> 202.179.4.56 JT1BV-@: JT1CO
> 202.179.4.56 JT1BV-@: WV6E
> as5300-56.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> ========================================================================
> ==
> 212.94.115.2 DJ3XG-@:   PR0F
> 212.94.115.2 JH1AXN-@: UA9YAB
> 212.94.115.2 JK1QWX-@: UA9YAB
> 212.94.115.2 JL8UJZ-@: UA9YAB
> 212.94.115.2 LZ3DB-@: UA9YAB
> telku.biysk.ru
> (.ru is for Russia)
>
> ========================================================================
> ==
> a bunch of local friends on a common gateway maybe?
>
> 213.189.83.103 9K2AI-@: 9K9X
> 213.189.83.103 9K2RO-@: 9K9X
> 213.189.83.103 9K2SD-@: 9K9X
> 213.189.83.103 9K2YH-@: 9K9X
> NYC-ag4.NYC.US.net.DTAG.DE then into an unnamed network
>
> 62.150.84.67 9K2RO-@: 9K9X
> 62.150.84.67 9K2YH-@: 9K9X
> csk009.emirates.net.ae then into an unnamed network
> (.ae is for UAE)
> ========================================================================
> ==
>
> An interesting combination of spotting stations and spots from one ip
> address.
> 212.253.129.11 9A3PA-@: YM2ZF
> 212.253.129.11 JA0GJJ-@: YM2ZF
> 212.253.129.11 JA6CUX-@: YM2ZF
> 212.253.129.11 JM1TUY-@: 7X2RS
> 212.253.129.11 JM1TUY-@: YM2ZF
> 212.253.129.11 JM1TUYT-@ TA2ZF (a slip of the finger or mind?)
> 212.253.129.11 KC1F-@: TK5KP (I know him, he spots from k1ea node)
> 212.253.129.11 KC1F-@: YM2ZF
> 212.253.129.11 M0DXR-@: YM2ZF
> 212.253.129.11 RV4LC-@: YM2ZF
> 212.253.129.11 UT3UA-@: YM2ZF
> 212.253.129.11 UU0JM-@: YM2ZF
> 212.253.129.11 UU2JQ-@: YM2ZF
> 212.253.129.11 UX5UO-@: YM2ZF
> 212.253.129.11 Z35W-@: 3A2MW
> 212.253.129.11 Z35W-@: TK5KP
> traces to BS-EA1.BS.DE.NET.DTAG.DE then goes into unnamed network
> (.de is Germany)
>
> ========================================================================
> ==
> A couple other odd things that showed up:
>
> 68.155.11.108 N2WN-@: AL1G
> 68.155.11.108 NOEARS-@: A61AJ  (A complainer unmasked?!?!)
> ixc01tys-8-1-1.bellsouth.net
>
> 169.207.127.70 BR549-@: CB20
> 169.207.127.70 WA9GJU-@: YITB253  (what in the world is yitb253?)
> as1.appl.wi.voyager.net
>
> Non-contest faked self spots?????
> 217.79.65.77 K5RN -@: LZ2KV
> 217.79.65.77 W2END  -@ LZ2KV
> 217.79.65.77 W2END-@: LZ2KV
> 217.79.65.77 W9EV-@: LZ2KV
> traces to border1.telecoms.bg then sat.elnics.com
> (.bg is Bulgeria)
>
> ========================================================================
> ==
>
> Now I am sure a bunch of you are mad at me for either accusing someone
> without enough evidence or for just filling up your inbox with a huge
> bunch of junk... But what I hope is that word gets around that if you
> really want to cheat by spotting yourself it is getting harder and
> harder to hide your tracks... maybe you would be better off spending
> more time developing operating skills and less trying to cheat on the
> internet.
>
> One thing that is funny about spots for some of these stations is that
> they get spotted a lot anyway.  And in past investigations a self spot,
> especially ones just after band or frequency changes, is often put in
> just before a real spot, in many nodes that makes the real spot look
> like a dupe and it is blocked.
>
> As some of you will undoubtedly attack me for this... SHIELDS UP, so
> FLAME ON!  Full cluster logs for the weekend, and now an (almost)
> complete log of dxsummit spots with IP's will be available to contest
> sponsors if they want it for further investigation.
>
>
> David Robbins K1TTT
> e-mail: mailto:k1ttt@arrl.net
> web: http://www.k1ttt.net
> AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
>
>
>
>
> ---------------------------------------------------------------
>     The world's top contesters battle it out in Finland!
> THE OFFICIAL FILM of WRTC 2002 now on professional DVD and VHS!
>        http://home1.pacific.net.sg/~jamesb/
> ---------------------------------------------------------------
>
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
>

<Prev in Thread] Current Thread [Next in Thread>