great work David!
We sure recognize some old friends in this list that just don't get tired:))
I really wonder how D88S, JT1CO, UA9YAB etc... ever find time for real QSOs.
They seem to have a little spotting contest of their own...:) And have had
it so for years...really funny:)
But it also shows that this information never reaches them as they don't
read CQ-C and their friends don't either...so I truly hope the Committee can
take some actions now based on your data.
73
tonno
es5tv
----- Original Message -----
From: "David Robbins K1TTT" <k1ttt@arrl.net>
To: "reflector cq-contest" <CQ-Contest@contesting.com>
Sent: Sunday, May 25, 2003 11:15 PM
Subject: [CQ-Contest] self spotting abuses in WPX CW
> This is long. It contains lots of data. It will be controversial. I
> am presenting lots of observations that may have other explanations.
> Blame it on a rainy weekend with a s/o guest op.
>
> All that said, I think it is time to reveal some of the 'secrets' of the
> current internet linked dx spotting network. In particular where it
> comes to tracking apparent self spotting during contests. Note, that
> some of this type of data has been provided to contest sponsors for the
> last couple years in various contests... I don't know what they have
> done with it for sure as I haven't gone back and matched up my
> suspicions with the final published results. But I do think that
> putting some more of it out in the open may make some of the abusers
> think twice about trying it in the future... of course it may just make
> them smarter and trickier, but then again the capabilities of the
> network are growing regularly also.
>
> You may have seen some of this type of data after some contests in the
> past, and some of the people who have published it have come under
> personal attack, including threats of violence... it is amazing in my
> view that a hobby such as this can come to such extremes that people
> want to cheat the system to do better, and then when they are caught try
> to hide the facts or become abusive.
>
> First some technical background. Every time you connect to a computer
> on the internet the computer you connect to gets your IP address. This
> is the 4 number address like 127.0.0.1 that you may have seen in various
> places while setting up your computer. The exchange of IP addresses is
> part of the communications protocol and you can not make a connection
> without giving the other computer your address. Every computer on the
> internet has one of these addresses, and every one is unique... There
> are some networks that group a bunch of machines behind one IP address,
> but these are generally small and the internet visible IP address is
> still unique. There are also some rf gateways that use one IP address
> for all the users, but again, the internet IP address is still unique
> for that gateway. It is also possible to trace IP addresses back to
> their source. It is not always possible to get to the originating
> machine, but normally the ISP or last major network hub can be
> identified. Even on dialup networks that assign IP addresses
> dynamically each time you connect there are traces and at least the ISP
> and often the area of a city can be identified. When tracing IP
> addresses you can translate the numbers back into the domain names, like
> how 140.186.101.248=>k1ttt.net. Usually these names mean something to
> someone, often abbreviations for city or country names are included in
> routers to make them easier to locate. Many routers outside the U.S.
> include either a company name or country telecom authority name. But
> for this analysis the important thing is that IP addresses are unique to
> one machine or one gateway on the internet.
>
> Next, the network problem. There are probably 3 major ways to get spots
> into the network these days. First are users who connect via rf to a
> cluster node. This is a rapidly dwindling group and doesn't seem to be
> a problem, or at least not a big one as local sysops can monitor these
> fairly easily and spot strange connections. Second are the 'telnet'
> cluster nodes. AR-Cluster, CLX, DXSpider, etc, are common software
> packages that run these nodes. These are the source of reports you may
> have seen in the past. All these node can record a log of ip addresses
> used to connect to them along with callsigns and the spots entered...
> details of how long the data is kept and the ways to save and extract it
> vary, but they can all do it. The third major source is
> www.dxsummit.com. This is a very popular web based site that allows
> users to put in dx spots from a web page interface. Through various
> mechanisms these spots are then sent out onto the cluster network for
> distribution to the rest of the world.
>
> In the past there were several pattern based approaches to spotting self
> spotting abuses during contests. These abusers were first noticed when
> a user on the cluster network noticed a spot come out under his call
> that he didn't put out. Further research revealed that several stations
> who were being spotted frequently were being spotted by calls that
> didn't exist, calls who had never made another spot on the network,
> calls who only spotted them but no one else, and a couple other odd
> things. Or the spots had obvious patterns like all exactly on the same
> frequency, all the comments were the same, they were spotted immediately
> after a frequency or band change, or spots came from stations that
> shouldn't have propagation at the time. Most of these would be
> considered circumstantial evidence, though in some cases it was so
> obvious over the period of a contest that it could not be ignored.
>
> By manually tracing spots back to their originating cluster nodes it was
> possible in some cases to get IP addresses and trace them. Every
> internet node can record a log of ip address vs callsign, not all of
> them keep the data for long and some sysops don't know how to enable it
> or extract the data, but on the popular nodes it is usually fairly easy
> to get the data. In most of the suspect cases the IP addresses came
> back to the country of the station that was being spotted. In some
> cases dozens of callsigns were being used from one IP address to login
> to a cluster node, make a spot for one station, then disconnect. By
> using some simple database tools it is now possible to correlate
> callsigns to IP addresses and in one easy step come up with a list of
> suspicious user calls. It is then easy to find dx spots that have
> originated from those user calls and spot the obvious patterns... here
> is a sample of the first 36 hours or so of the 2003 WPX CW test results
> from data on just my node:
>
> In each of the groups below there is the IP address followed by the
> callsign used to login to the node. Each of these is followed by the dx
> spots that were made by that call during the contest. The last entry in
> each group is the location where the trace of that IP address ended
> up(not necessarily the machine itself, but an indication of where the
> connection was from as I noted above).
>
> ========================================================================
> ==
> 193.248.78.117 N3RF
> 7003.6 TO5AA 24-May-2003 0146Z FM5
> 193.248.78.117 RW3QC
> 14006.0 TO5AA 23-May-2003 0109Z FM5
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> 80.9.204.183 RA3WFS
> 7026.2 TO5AA 24-May-2003 2242Z FM5
> 14030.7 TO5AA 24-May-2003 2151Z FM5
> 80.9.204.183 W4BFB
> 21027.0 TO5AA 25-May-2003 1219Z from FM5
> 14030.0 TO5AA 25-May-2003 0519Z
> 7006.7 TO5AA 25-May-2003 0431Z
> 7025.0 TO5AA 25-May-2003 0039Z
> 21030.6 TO5AA 24-May-2003 1657Z
> 28029.0 TO5AA 24-May-2003 1615Z
> 28029.0 TO5AA 24-May-2003 1614Z FM5
> nslam106.francetelecom.net
>
> 193.248.78.179 K3LSX
> no spots???
> 193.248.78.179 RK3QWA
> 21032.6 TO5AA 24-May-2003 1325Z
> 21032.5 TO5AA 24-May-2003 1216Z
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 195.5.3.203 DS2BGN
> 21033.6 UU7J 24-May-2003 0433Z
> 195.5.3.203 JA1FDG
> 21060.3 UU7J 24-May-2003 0815Z TEST
> 195.5.3.203 JA2SZC
> 21037.1 UU7J 24-May-2003 0605Z
> 195.5.3.203 JH2NWP
> 14056.3 UU7 24-May-2003 1434Z
> 195.5.3.203 PY5CC
> 14052.2 PT5A 25-May-2003 0044Z WPX contest
> 7051.6 UU7J 25-May-2003 0018Z
> 28023.0 ZW5B 24-May-2003 2334Z
> 21031.0 PR0F 24-May-2003 2203Z WPX Fernando de Noronha
> ukrtel-gw.rascom.ru
>
> ========================================================================
> ==
> 213.235.179.18 OK1FJD
> 7019.0 OL3A 25-May-2003 0458Z
> 14037.4 N2MM 24-May-2003 1232Z
> 21039.4 OL3A 24-May-2003 1211Z
> 21007.0 SU9NC 24-May-2003 1211Z
> 21039.0 OL3A 24-May-2003 1100Z
> 21028.0 8P1A 24-May-2003 1100Z
> 21013.2 P41P 24-May-2003 1058Z
> 21066.9 OH3OJ 24-May-2003 0746Z
> 21028.0 OL3A 24-May-2003 0745Z
> 213.235.179.18 UA3JDF
> 14052.0 OL3A 24-May-2003 0652Z
> 14052.0 OL3A 24-May-2003 0644Z
> 14038.8 OL3A 24-May-2003 0638Z
> 213.235.179.18 UA9FGY
> 14013.0 OD5/OK1MU 24-May-2003 0727Z
> 21027.0 OL3A 24-May-2003 0724Z
> 21027.0 OL3A 24-May-2003 0721Z
> 213.235.179.18 UA9II
> 21026.4 OL3A 24-May-2003 1022Z
> 21060.4 RO4M/6 24-May-2003 1019Z
> 14017.0 OL3A 24-May-2003 1019Z
> 213.235.179.18 UA9JFG
> 14017.0 OL3A 24-May-2003 1018Z
> 14017.4 OL3A 24-May-2003 0910Z
> and other calls also
> 213.235.179.18 UA9JGF
> 21027.0 OL3A 24-May-2003 0713Z
> 14031.1 SV5/DJ5AA/P 24-May-2003 0703Z
> 14052.0 OL3A 24-May-2003 0656Z
> atm-2-0-69.Plzn-364.net.tiscali.cz
> ========================================================================
> ==
>
> Oh well, I probably just lost a few users of my node by publishing this
> information... but there are hundreds more real users out there anyway.
> Just remember, other nodes have this same capability... and any sysop
> who wants to either provide me with their database for analysis or who
> wants to know how to use MS-Access to do this is welcome to contact
> me... for other databases I could give you the SQL for the lookup but
> you would have to adjust it for your table and field names.
>
> In the past some of these would have slipped through the cracks because
> they made other spots so they would not have matched our pattern
> checking, but when correlating IP addresses directly there is much less
> doubt. When we first did this correlation on the cluster nodes there
> were MANY more hits than this, obviously some cheaters have either quit
> or changed their tactics. Hopefully this will get passed around again
> and discourage some more of them from doing this in the future.
>
> Also a problem in the past has been that spots fitting some of the
> patterns we were looking for were coming from www.dxsummit.com. These
> were basically a dead end. We could group them, count them, show that
> some of the calls being used were not active or had never entered
> another spot, but we could not trace them to an IP address.
>
> Now, on to the new stuff... But first a short story. A couple months
> ago I was contacted by an agent of the U.S. Secret Service. Someone had
> reported announcements made on the cluster network that contained
> comments like "death to bush" or some such threatening phrases. Yes,
> they do take these things seriously! These were traced through the
> network back to k1ttt-14 so I was contacted to see where they came from.
> K1ttt-14 happens to be my software that sucks dx spots from
> www.dxsummit.com via the #cqdx IRC channel and inserts them into the
> network for the rest of the world to see. There are other gateways like
> this but mine seems to be the fastest so most of them from that site
> come out with my node as the source. I have in the past tried to get
> access to the dxsummit IP address logs that their web pages said they
> kept but had not been successful, so I told the agent that the original
> source of those comments came from there, gave him the web and email
> addresses and left it at that... I have not heard back from him since.
> BUT, shortly after that I got an email from an operator of dxsummit
> telling me they had a new page that listed the ip addresses of all
> inputs to the web site... no explanation of why they added it, or why he
> was telling me specifically about it, but it is there. And here for the
> first time is an analysis of that data.
>
> But first the standard disclaimer... there may be various explanations
> for some of these, common rf gateways, local friends making spots using
> their own calls, and possibly others... but if you compare where the ip
> address traces to with the callsigns that login there some of them are
> very odd. And of course the decisions of the contest sponsors are final
> when it comes to judging contest logs.
>
> These are simpler to read since all the data is in one table... all I
> show is the IP address, the callsign put in at dxsummit(with the -@ that
> dxsummit adds) and the call that was spotted. After each block of IP
> addresses is the end of the trace as described above:
>
> ========================================================================
> ==
> A busy group of spotters from around the world using this IP...
> 200.11.86.85 4Z5MU-@: D88S
> 200.11.86.85 DJ1ZU-@: D88S
> 200.11.86.85 DL2AN-@: D88S
> 200.11.86.85 EA2RC-@: D88S
> 200.11.86.85 ES5TV-@: D88S
> 200.11.86.85 F5BPK-@: D88S
> 200.11.86.85 F5UKL-@: D88S
> 200.11.86.85 G3IGZ-@: D88S
> 200.11.86.85 HA1CW-@: D88S
> 200.11.86.85 HA8KW-@: D88S
> 200.11.86.85 HG6N-@: D88S
> 200.11.86.85 HG9X-@: D88S
> 200.11.86.85 K5TTN-@: D88S
> 200.11.86.85 LY4CW-@: D88S
> 200.11.86.85 LZ2DL-@: D88S
> 200.11.86.85 N7IR-@: D88S
> 200.11.86.85 NG6O-@: D88S
> 200.11.86.85 OM5M-@: D88S
> 200.11.86.85 PT5A-@: D88S
> 200.11.86.85 RW3RN-@: D88S
> 200.11.86.85 SP5ELA-@: D88S
> 200.11.86.85 UU2JQ-@: D88S
> 200.11.86.85 W0GG-@: D88S
> 200.11.86.85 YT6A-@: D88S
> 200.11.86.85 YU1EQ-@: D88S
> traces to ac6.cnt.entelchile.net then no response
> Sorry I don't read much Spanish, but http://www.entelchile.net/ appears
> to be a Chilean ISP site.
>
> ========================================================================
> ==
> 68.160.203.138 AK2P-@: W2/UR5DEM
> 68.160.203.138 I3HNS-@: W2/UR5DEM
> 68.160.203.138 OK3DS-@: W2/UR5DEM
> 68.160.203.138 PA0RDS-@: W2/UR5DEM
> 68.160.203.138 UX5WWL-@: W2/UR5DEM
> 68.160.203.138 YU2DG-@: W2/UR5DEM
> pool-68-160-203-138.ny325.east.verizon.net
>
> 68.161.84.221 DK2RF-@: W2/UR5DEM
> 68.161.84.221 PA0DXV-@: W2/UR5DEM
> pool-68-161-84-221.ny325.east.verizon.net
>
> 68.161.81.13 AK2P-@: W2/UR5DEM
> 68.161.81.13 DF0SF-@: W2/UR5DEM
> 68.161.81.13 F2RY-@: W2/UR5DEM
> 68.161.81.13 HA2DR-@: W2/UR5DEM
> 68.161.81.13 HA3SF-@: W2/UR5DEM
> 68.161.81.13 I4GTS-@: W2/UR5DEM
> 68.161.81.13 KC2LLM-@: W2/UR5DEM
> 68.161.81.13 PP2DX-@: W2/UR5DEM
> 68.161.81.13 WY6DX-@: W2/UR5DEM
> A3-0-0-1716.DSL-RTR4.NY325.verizon-gni.net
>
> ========================================================================
> ==
> The following group of to5aa spotters seems to have a lot of different
> ip's, though they all seem to trace back to something with "LeLamentin"
> which I believe is something in Martinique.
> 193.248.76.234 F6HEQ-@: TO5AA
> 193.248.76.234 FM5BH-@: TO5AA
> 193.248.76.234 FM5FJ-@: FM5/TO5AA
> traces to P0-0-0.nclam101.LeLamentin.francetelecom.net then no response
>
> 80.9.204.176 F6HEQ-@: TO5AA
> 80.9.204.176 F8AAN-@: TO5AA
> 80.9.204.176 FM5WD-@: TO5AA
> IPBRXNCLAM2.GW.opentransit.net (francetelecom.net doesn't show on this
> one but this same path led to 193.248.76.234 above)
>
> 80.9.204.110 F6HEQ-@: TO5AA
> 80.9.204.110 F8AAN-@: TO5AA
> 80.9.204.110 FM5DN-@: TO5AA
> 80.9.204.110 FM5DS-@: TO5AA
> P0-0-0.nclam102.LeLamentin.francetelecom.net
>
> 193.248.77.43 F6HEQ-@: TO5AA
> 193.248.77.43 F8AAN-@: TO5AA
> 193.248.77.43 FM5DN-@: TO5AA
> 193.248.77.43 FM5DS-@: TO5AA
> Mix-Le-Lamentin-101-2-43.w193-248.abo.wanadoo.fr
> (.fr is for france)
>
> 193.248.77.177 F6HEQ-@: TO5AA
> 193.248.77.177 FM5DN-@: TO5AA
> 193.248.77.177 FM5FJ-@: TO5AA
> nslam101.francetelecom.net
>
> remember, there were also users logged into my node that spotted to5aa:
> N3RF & RW3QC from P0-0-0.nclam101.LeLamentin.francetelecom.net
> W4BFB & RA3WFS from nslam106.francetelecom.net
> RK3QWA & K3LSX from P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 219.112.10.163 RN4WA-@: JM1TUY
> 219.112.10.163 VK2ASW-@: JM1TUY
> 219.112.10.163 W2QU-@: JM1TUY
> traces to ge-3-0-0.a08.tokyjp01.jp.ra.verio.net then only numbered
>
> ========================================================================
> ==
> local friends from the same gateways??
>
> 80.92.193.254 RW9AE-@: RA9JR
> 80.92.193.254 RX9JW-@: RA9JR
> 80.92.193.254 UA9JMB-@: RA9JR
> traces to neptune.helios-net.ru
>
> 195.42.147.217 UA9JMB-@: RA9JR
> 195.42.147.217 UN7FZ-@: RA9JR
> traces to gw-prime-arcon.arcon.ru then only numbered
>
> (.ru is for Russia)
> ========================================================================
> ==
> 193.111.10.205 DL8WN-@: EY3M
> 193.111.10.205 RA3OO-@: EY3M
> traces to babylon_t--satis-1-s0-2.telekom.ru then only numbered
> (.ru is for Russia)
> ========================================================================
> ==
> 195.239.235.42 RW4HW-@: RT4I
> 195.239.235.42 YL2KA-@: RT4I
> traces to volgogaz-gw.Samara.gldn.net then only numbered
>
> ========================================================================
> ==
> 213.190.40.247 JH2AMH-@: LY4CW
> 213.190.40.247 MM0BQS-@: LY4CW
> 213.190.40.247 PA3FNE-@: LY4CW
> 213.190.40.247 PP7CW-@: LY4CW
> 213.190.40.247 SP3PKL-@: LY4CW
> 213.190.40.247 UR4IYZ-@: LY4CW
> adsl-213-190-40-247.takas.lt
> DSL in Lithuania! Wish I could get that here!
> (.lt is for Lithuania)
>
> ========================================================================
> ==
> 202.179.6.6 OH6FT-@: JT1CO
> 202.179.6.6 UR5ERW-@: JT1CO
> as5400.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> 202.179.4.56 DXER-@: 4W2DN (DXER uncovered????)
> 202.179.4.56 JT1BV-@: JT1CO
> 202.179.4.56 JT1BV-@: WV6E
> as5300-56.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> ========================================================================
> ==
> 212.94.115.2 DJ3XG-@: PR0F
> 212.94.115.2 JH1AXN-@: UA9YAB
> 212.94.115.2 JK1QWX-@: UA9YAB
> 212.94.115.2 JL8UJZ-@: UA9YAB
> 212.94.115.2 LZ3DB-@: UA9YAB
> telku.biysk.ru
> (.ru is for Russia)
>
> ========================================================================
> ==
> a bunch of local friends on a common gateway maybe?
>
> 213.189.83.103 9K2AI-@: 9K9X
> 213.189.83.103 9K2RO-@: 9K9X
> 213.189.83.103 9K2SD-@: 9K9X
> 213.189.83.103 9K2YH-@: 9K9X
> NYC-ag4.NYC.US.net.DTAG.DE then into an unnamed network
>
> 62.150.84.67 9K2RO-@: 9K9X
> 62.150.84.67 9K2YH-@: 9K9X
> csk009.emirates.net.ae then into an unnamed network
> (.ae is for UAE)
> ========================================================================
> ==
>
> An interesting combination of spotting stations and spots from one ip
> address.
> 212.253.129.11 9A3PA-@: YM2ZF
> 212.253.129.11 JA0GJJ-@: YM2ZF
> 212.253.129.11 JA6CUX-@: YM2ZF
> 212.253.129.11 JM1TUY-@: 7X2RS
> 212.253.129.11 JM1TUY-@: YM2ZF
> 212.253.129.11 JM1TUYT-@ TA2ZF (a slip of the finger or mind?)
> 212.253.129.11 KC1F-@: TK5KP (I know him, he spots from k1ea node)
> 212.253.129.11 KC1F-@: YM2ZF
> 212.253.129.11 M0DXR-@: YM2ZF
> 212.253.129.11 RV4LC-@: YM2ZF
> 212.253.129.11 UT3UA-@: YM2ZF
> 212.253.129.11 UU0JM-@: YM2ZF
> 212.253.129.11 UU2JQ-@: YM2ZF
> 212.253.129.11 UX5UO-@: YM2ZF
> 212.253.129.11 Z35W-@: 3A2MW
> 212.253.129.11 Z35W-@: TK5KP
> traces to BS-EA1.BS.DE.NET.DTAG.DE then goes into unnamed network
> (.de is Germany)
>
> ========================================================================
> ==
> A couple other odd things that showed up:
>
> 68.155.11.108 N2WN-@: AL1G
> 68.155.11.108 NOEARS-@: A61AJ (A complainer unmasked?!?!)
> ixc01tys-8-1-1.bellsouth.net
>
> 169.207.127.70 BR549-@: CB20
> 169.207.127.70 WA9GJU-@: YITB253 (what in the world is yitb253?)
> as1.appl.wi.voyager.net
>
> Non-contest faked self spots?????
> 217.79.65.77 K5RN -@: LZ2KV
> 217.79.65.77 W2END -@ LZ2KV
> 217.79.65.77 W2END-@: LZ2KV
> 217.79.65.77 W9EV-@: LZ2KV
> traces to border1.telecoms.bg then sat.elnics.com
> (.bg is Bulgeria)
>
> ========================================================================
> ==
>
> Now I am sure a bunch of you are mad at me for either accusing someone
> without enough evidence or for just filling up your inbox with a huge
> bunch of junk... But what I hope is that word gets around that if you
> really want to cheat by spotting yourself it is getting harder and
> harder to hide your tracks... maybe you would be better off spending
> more time developing operating skills and less trying to cheat on the
> internet.
>
> One thing that is funny about spots for some of these stations is that
> they get spotted a lot anyway. And in past investigations a self spot,
> especially ones just after band or frequency changes, is often put in
> just before a real spot, in many nodes that makes the real spot look
> like a dupe and it is blocked.
>
> As some of you will undoubtedly attack me for this... SHIELDS UP, so
> FLAME ON! Full cluster logs for the weekend, and now an (almost)
> complete log of dxsummit spots with IP's will be available to contest
> sponsors if they want it for further investigation.
>
>
> David Robbins K1TTT
> e-mail: mailto:k1ttt@arrl.net
> web: http://www.k1ttt.net
> AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
>
>
>
>
> ---------------------------------------------------------------
> The world's top contesters battle it out in Finland!
> THE OFFICIAL FILM of WRTC 2002 now on professional DVD and VHS!
> http://home1.pacific.net.sg/~jamesb/
> ---------------------------------------------------------------
>
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest@contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
|