This is long. It contains lots of data. It will be controversial. I
am presenting lots of observations that may have other explanations.
Blame it on a rainy weekend with a s/o guest op.
All that said, I think it is time to reveal some of the 'secrets' of the
current internet linked dx spotting network. In particular where it
comes to tracking apparent self spotting during contests. Note, that
some of this type of data has been provided to contest sponsors for the
last couple years in various contests... I don't know what they have
done with it for sure as I haven't gone back and matched up my
suspicions with the final published results. But I do think that
putting some more of it out in the open may make some of the abusers
think twice about trying it in the future... of course it may just make
them smarter and trickier, but then again the capabilities of the
network are growing regularly also.
You may have seen some of this type of data after some contests in the
past, and some of the people who have published it have come under
personal attack, including threats of violence... it is amazing in my
view that a hobby such as this can come to such extremes that people
want to cheat the system to do better, and then when they are caught try
to hide the facts or become abusive.
First some technical background. Every time you connect to a computer
on the internet the computer you connect to gets your IP address. This
is the 4 number address like 127.0.0.1 that you may have seen in various
places while setting up your computer. The exchange of IP addresses is
part of the communications protocol and you can not make a connection
without giving the other computer your address. Every computer on the
internet has one of these addresses, and every one is unique... There
are some networks that group a bunch of machines behind one IP address,
but these are generally small and the internet visible IP address is
still unique. There are also some rf gateways that use one IP address
for all the users, but again, the internet IP address is still unique
for that gateway. It is also possible to trace IP addresses back to
their source. It is not always possible to get to the originating
machine, but normally the ISP or last major network hub can be
identified. Even on dialup networks that assign IP addresses
dynamically each time you connect there are traces and at least the ISP
and often the area of a city can be identified. When tracing IP
addresses you can translate the numbers back into the domain names, like
how 140.186.101.248=>k1ttt.net. Usually these names mean something to
someone, often abbreviations for city or country names are included in
routers to make them easier to locate. Many routers outside the U.S.
include either a company name or country telecom authority name. But
for this analysis the important thing is that IP addresses are unique to
one machine or one gateway on the internet.
Next, the network problem. There are probably 3 major ways to get spots
into the network these days. First are users who connect via rf to a
cluster node. This is a rapidly dwindling group and doesn't seem to be
a problem, or at least not a big one as local sysops can monitor these
fairly easily and spot strange connections. Second are the 'telnet'
cluster nodes. AR-Cluster, CLX, DXSpider, etc, are common software
packages that run these nodes. These are the source of reports you may
have seen in the past. All these node can record a log of ip addresses
used to connect to them along with callsigns and the spots entered...
details of how long the data is kept and the ways to save and extract it
vary, but they can all do it. The third major source is
www.dxsummit.com. This is a very popular web based site that allows
users to put in dx spots from a web page interface. Through various
mechanisms these spots are then sent out onto the cluster network for
distribution to the rest of the world.
In the past there were several pattern based approaches to spotting self
spotting abuses during contests. These abusers were first noticed when
a user on the cluster network noticed a spot come out under his call
that he didn't put out. Further research revealed that several stations
who were being spotted frequently were being spotted by calls that
didn't exist, calls who had never made another spot on the network,
calls who only spotted them but no one else, and a couple other odd
things. Or the spots had obvious patterns like all exactly on the same
frequency, all the comments were the same, they were spotted immediately
after a frequency or band change, or spots came from stations that
shouldn't have propagation at the time. Most of these would be
considered circumstantial evidence, though in some cases it was so
obvious over the period of a contest that it could not be ignored.
By manually tracing spots back to their originating cluster nodes it was
possible in some cases to get IP addresses and trace them. Every
internet node can record a log of ip address vs callsign, not all of
them keep the data for long and some sysops don't know how to enable it
or extract the data, but on the popular nodes it is usually fairly easy
to get the data. In most of the suspect cases the IP addresses came
back to the country of the station that was being spotted. In some
cases dozens of callsigns were being used from one IP address to login
to a cluster node, make a spot for one station, then disconnect. By
using some simple database tools it is now possible to correlate
callsigns to IP addresses and in one easy step come up with a list of
suspicious user calls. It is then easy to find dx spots that have
originated from those user calls and spot the obvious patterns... here
is a sample of the first 36 hours or so of the 2003 WPX CW test results
from data on just my node:
In each of the groups below there is the IP address followed by the
callsign used to login to the node. Each of these is followed by the dx
spots that were made by that call during the contest. The last entry in
each group is the location where the trace of that IP address ended
up(not necessarily the machine itself, but an indication of where the
connection was from as I noted above).
========================================================================
==
193.248.78.117 N3RF
7003.6 TO5AA 24-May-2003 0146Z FM5
193.248.78.117 RW3QC
14006.0 TO5AA 23-May-2003 0109Z FM5
P0-0-0.nclam101.LeLamentin.francetelecom.net
80.9.204.183 RA3WFS
7026.2 TO5AA 24-May-2003 2242Z FM5
14030.7 TO5AA 24-May-2003 2151Z FM5
80.9.204.183 W4BFB
21027.0 TO5AA 25-May-2003 1219Z from FM5
14030.0 TO5AA 25-May-2003 0519Z
7006.7 TO5AA 25-May-2003 0431Z
7025.0 TO5AA 25-May-2003 0039Z
21030.6 TO5AA 24-May-2003 1657Z
28029.0 TO5AA 24-May-2003 1615Z
28029.0 TO5AA 24-May-2003 1614Z FM5
nslam106.francetelecom.net
193.248.78.179 K3LSX
no spots???
193.248.78.179 RK3QWA
21032.6 TO5AA 24-May-2003 1325Z
21032.5 TO5AA 24-May-2003 1216Z
P0-0-0.nclam101.LeLamentin.francetelecom.net
========================================================================
==
195.5.3.203 DS2BGN
21033.6 UU7J 24-May-2003 0433Z
195.5.3.203 JA1FDG
21060.3 UU7J 24-May-2003 0815Z TEST
195.5.3.203 JA2SZC
21037.1 UU7J 24-May-2003 0605Z
195.5.3.203 JH2NWP
14056.3 UU7 24-May-2003 1434Z
195.5.3.203 PY5CC
14052.2 PT5A 25-May-2003 0044Z WPX contest
7051.6 UU7J 25-May-2003 0018Z
28023.0 ZW5B 24-May-2003 2334Z
21031.0 PR0F 24-May-2003 2203Z WPX Fernando de Noronha
ukrtel-gw.rascom.ru
========================================================================
==
213.235.179.18 OK1FJD
7019.0 OL3A 25-May-2003 0458Z
14037.4 N2MM 24-May-2003 1232Z
21039.4 OL3A 24-May-2003 1211Z
21007.0 SU9NC 24-May-2003 1211Z
21039.0 OL3A 24-May-2003 1100Z
21028.0 8P1A 24-May-2003 1100Z
21013.2 P41P 24-May-2003 1058Z
21066.9 OH3OJ 24-May-2003 0746Z
21028.0 OL3A 24-May-2003 0745Z
213.235.179.18 UA3JDF
14052.0 OL3A 24-May-2003 0652Z
14052.0 OL3A 24-May-2003 0644Z
14038.8 OL3A 24-May-2003 0638Z
213.235.179.18 UA9FGY
14013.0 OD5/OK1MU 24-May-2003 0727Z
21027.0 OL3A 24-May-2003 0724Z
21027.0 OL3A 24-May-2003 0721Z
213.235.179.18 UA9II
21026.4 OL3A 24-May-2003 1022Z
21060.4 RO4M/6 24-May-2003 1019Z
14017.0 OL3A 24-May-2003 1019Z
213.235.179.18 UA9JFG
14017.0 OL3A 24-May-2003 1018Z
14017.4 OL3A 24-May-2003 0910Z
and other calls also
213.235.179.18 UA9JGF
21027.0 OL3A 24-May-2003 0713Z
14031.1 SV5/DJ5AA/P 24-May-2003 0703Z
14052.0 OL3A 24-May-2003 0656Z
atm-2-0-69.Plzn-364.net.tiscali.cz
========================================================================
==
Oh well, I probably just lost a few users of my node by publishing this
information... but there are hundreds more real users out there anyway.
Just remember, other nodes have this same capability... and any sysop
who wants to either provide me with their database for analysis or who
wants to know how to use MS-Access to do this is welcome to contact
me... for other databases I could give you the SQL for the lookup but
you would have to adjust it for your table and field names.
In the past some of these would have slipped through the cracks because
they made other spots so they would not have matched our pattern
checking, but when correlating IP addresses directly there is much less
doubt. When we first did this correlation on the cluster nodes there
were MANY more hits than this, obviously some cheaters have either quit
or changed their tactics. Hopefully this will get passed around again
and discourage some more of them from doing this in the future.
Also a problem in the past has been that spots fitting some of the
patterns we were looking for were coming from www.dxsummit.com. These
were basically a dead end. We could group them, count them, show that
some of the calls being used were not active or had never entered
another spot, but we could not trace them to an IP address.
Now, on to the new stuff... But first a short story. A couple months
ago I was contacted by an agent of the U.S. Secret Service. Someone had
reported announcements made on the cluster network that contained
comments like "death to bush" or some such threatening phrases. Yes,
they do take these things seriously! These were traced through the
network back to k1ttt-14 so I was contacted to see where they came from.
K1ttt-14 happens to be my software that sucks dx spots from
www.dxsummit.com via the #cqdx IRC channel and inserts them into the
network for the rest of the world to see. There are other gateways like
this but mine seems to be the fastest so most of them from that site
come out with my node as the source. I have in the past tried to get
access to the dxsummit IP address logs that their web pages said they
kept but had not been successful, so I told the agent that the original
source of those comments came from there, gave him the web and email
addresses and left it at that... I have not heard back from him since.
BUT, shortly after that I got an email from an operator of dxsummit
telling me they had a new page that listed the ip addresses of all
inputs to the web site... no explanation of why they added it, or why he
was telling me specifically about it, but it is there. And here for the
first time is an analysis of that data.
But first the standard disclaimer... there may be various explanations
for some of these, common rf gateways, local friends making spots using
their own calls, and possibly others... but if you compare where the ip
address traces to with the callsigns that login there some of them are
very odd. And of course the decisions of the contest sponsors are final
when it comes to judging contest logs.
These are simpler to read since all the data is in one table... all I
show is the IP address, the callsign put in at dxsummit(with the -@ that
dxsummit adds) and the call that was spotted. After each block of IP
addresses is the end of the trace as described above:
========================================================================
==
A busy group of spotters from around the world using this IP...
200.11.86.85 4Z5MU-@: D88S
200.11.86.85 DJ1ZU-@: D88S
200.11.86.85 DL2AN-@: D88S
200.11.86.85 EA2RC-@: D88S
200.11.86.85 ES5TV-@: D88S
200.11.86.85 F5BPK-@: D88S
200.11.86.85 F5UKL-@: D88S
200.11.86.85 G3IGZ-@: D88S
200.11.86.85 HA1CW-@: D88S
200.11.86.85 HA8KW-@: D88S
200.11.86.85 HG6N-@: D88S
200.11.86.85 HG9X-@: D88S
200.11.86.85 K5TTN-@: D88S
200.11.86.85 LY4CW-@: D88S
200.11.86.85 LZ2DL-@: D88S
200.11.86.85 N7IR-@: D88S
200.11.86.85 NG6O-@: D88S
200.11.86.85 OM5M-@: D88S
200.11.86.85 PT5A-@: D88S
200.11.86.85 RW3RN-@: D88S
200.11.86.85 SP5ELA-@: D88S
200.11.86.85 UU2JQ-@: D88S
200.11.86.85 W0GG-@: D88S
200.11.86.85 YT6A-@: D88S
200.11.86.85 YU1EQ-@: D88S
traces to ac6.cnt.entelchile.net then no response
Sorry I don't read much Spanish, but http://www.entelchile.net/ appears
to be a Chilean ISP site.
========================================================================
==
68.160.203.138 AK2P-@: W2/UR5DEM
68.160.203.138 I3HNS-@: W2/UR5DEM
68.160.203.138 OK3DS-@: W2/UR5DEM
68.160.203.138 PA0RDS-@: W2/UR5DEM
68.160.203.138 UX5WWL-@: W2/UR5DEM
68.160.203.138 YU2DG-@: W2/UR5DEM
pool-68-160-203-138.ny325.east.verizon.net
68.161.84.221 DK2RF-@: W2/UR5DEM
68.161.84.221 PA0DXV-@: W2/UR5DEM
pool-68-161-84-221.ny325.east.verizon.net
68.161.81.13 AK2P-@: W2/UR5DEM
68.161.81.13 DF0SF-@: W2/UR5DEM
68.161.81.13 F2RY-@: W2/UR5DEM
68.161.81.13 HA2DR-@: W2/UR5DEM
68.161.81.13 HA3SF-@: W2/UR5DEM
68.161.81.13 I4GTS-@: W2/UR5DEM
68.161.81.13 KC2LLM-@: W2/UR5DEM
68.161.81.13 PP2DX-@: W2/UR5DEM
68.161.81.13 WY6DX-@: W2/UR5DEM
A3-0-0-1716.DSL-RTR4.NY325.verizon-gni.net
========================================================================
==
The following group of to5aa spotters seems to have a lot of different
ip's, though they all seem to trace back to something with "LeLamentin"
which I believe is something in Martinique.
193.248.76.234 F6HEQ-@: TO5AA
193.248.76.234 FM5BH-@: TO5AA
193.248.76.234 FM5FJ-@: FM5/TO5AA
traces to P0-0-0.nclam101.LeLamentin.francetelecom.net then no response
80.9.204.176 F6HEQ-@: TO5AA
80.9.204.176 F8AAN-@: TO5AA
80.9.204.176 FM5WD-@: TO5AA
IPBRXNCLAM2.GW.opentransit.net (francetelecom.net doesn't show on this
one but this same path led to 193.248.76.234 above)
80.9.204.110 F6HEQ-@: TO5AA
80.9.204.110 F8AAN-@: TO5AA
80.9.204.110 FM5DN-@: TO5AA
80.9.204.110 FM5DS-@: TO5AA
P0-0-0.nclam102.LeLamentin.francetelecom.net
193.248.77.43 F6HEQ-@: TO5AA
193.248.77.43 F8AAN-@: TO5AA
193.248.77.43 FM5DN-@: TO5AA
193.248.77.43 FM5DS-@: TO5AA
Mix-Le-Lamentin-101-2-43.w193-248.abo.wanadoo.fr
(.fr is for france)
193.248.77.177 F6HEQ-@: TO5AA
193.248.77.177 FM5DN-@: TO5AA
193.248.77.177 FM5FJ-@: TO5AA
nslam101.francetelecom.net
remember, there were also users logged into my node that spotted to5aa:
N3RF & RW3QC from P0-0-0.nclam101.LeLamentin.francetelecom.net
W4BFB & RA3WFS from nslam106.francetelecom.net
RK3QWA & K3LSX from P0-0-0.nclam101.LeLamentin.francetelecom.net
========================================================================
==
219.112.10.163 RN4WA-@: JM1TUY
219.112.10.163 VK2ASW-@: JM1TUY
219.112.10.163 W2QU-@: JM1TUY
traces to ge-3-0-0.a08.tokyjp01.jp.ra.verio.net then only numbered
========================================================================
==
local friends from the same gateways??
80.92.193.254 RW9AE-@: RA9JR
80.92.193.254 RX9JW-@: RA9JR
80.92.193.254 UA9JMB-@: RA9JR
traces to neptune.helios-net.ru
195.42.147.217 UA9JMB-@: RA9JR
195.42.147.217 UN7FZ-@: RA9JR
traces to gw-prime-arcon.arcon.ru then only numbered
(.ru is for Russia)
========================================================================
==
193.111.10.205 DL8WN-@: EY3M
193.111.10.205 RA3OO-@: EY3M
traces to babylon_t--satis-1-s0-2.telekom.ru then only numbered
(.ru is for Russia)
========================================================================
==
195.239.235.42 RW4HW-@: RT4I
195.239.235.42 YL2KA-@: RT4I
traces to volgogaz-gw.Samara.gldn.net then only numbered
========================================================================
==
213.190.40.247 JH2AMH-@: LY4CW
213.190.40.247 MM0BQS-@: LY4CW
213.190.40.247 PA3FNE-@: LY4CW
213.190.40.247 PP7CW-@: LY4CW
213.190.40.247 SP3PKL-@: LY4CW
213.190.40.247 UR4IYZ-@: LY4CW
adsl-213-190-40-247.takas.lt
DSL in Lithuania! Wish I could get that here!
(.lt is for Lithuania)
========================================================================
==
202.179.6.6 OH6FT-@: JT1CO
202.179.6.6 UR5ERW-@: JT1CO
as5400.ub.mng.net (www.ub.mng.net calls itself mongol.net)
202.179.4.56 DXER-@: 4W2DN (DXER uncovered????)
202.179.4.56 JT1BV-@: JT1CO
202.179.4.56 JT1BV-@: WV6E
as5300-56.ub.mng.net (www.ub.mng.net calls itself mongol.net)
========================================================================
==
212.94.115.2 DJ3XG-@: PR0F
212.94.115.2 JH1AXN-@: UA9YAB
212.94.115.2 JK1QWX-@: UA9YAB
212.94.115.2 JL8UJZ-@: UA9YAB
212.94.115.2 LZ3DB-@: UA9YAB
telku.biysk.ru
(.ru is for Russia)
========================================================================
==
a bunch of local friends on a common gateway maybe?
213.189.83.103 9K2AI-@: 9K9X
213.189.83.103 9K2RO-@: 9K9X
213.189.83.103 9K2SD-@: 9K9X
213.189.83.103 9K2YH-@: 9K9X
NYC-ag4.NYC.US.net.DTAG.DE then into an unnamed network
62.150.84.67 9K2RO-@: 9K9X
62.150.84.67 9K2YH-@: 9K9X
csk009.emirates.net.ae then into an unnamed network
(.ae is for UAE)
========================================================================
==
An interesting combination of spotting stations and spots from one ip
address.
212.253.129.11 9A3PA-@: YM2ZF
212.253.129.11 JA0GJJ-@: YM2ZF
212.253.129.11 JA6CUX-@: YM2ZF
212.253.129.11 JM1TUY-@: 7X2RS
212.253.129.11 JM1TUY-@: YM2ZF
212.253.129.11 JM1TUYT-@ TA2ZF (a slip of the finger or mind?)
212.253.129.11 KC1F-@: TK5KP (I know him, he spots from k1ea node)
212.253.129.11 KC1F-@: YM2ZF
212.253.129.11 M0DXR-@: YM2ZF
212.253.129.11 RV4LC-@: YM2ZF
212.253.129.11 UT3UA-@: YM2ZF
212.253.129.11 UU0JM-@: YM2ZF
212.253.129.11 UU2JQ-@: YM2ZF
212.253.129.11 UX5UO-@: YM2ZF
212.253.129.11 Z35W-@: 3A2MW
212.253.129.11 Z35W-@: TK5KP
traces to BS-EA1.BS.DE.NET.DTAG.DE then goes into unnamed network
(.de is Germany)
========================================================================
==
A couple other odd things that showed up:
68.155.11.108 N2WN-@: AL1G
68.155.11.108 NOEARS-@: A61AJ (A complainer unmasked?!?!)
ixc01tys-8-1-1.bellsouth.net
169.207.127.70 BR549-@: CB20
169.207.127.70 WA9GJU-@: YITB253 (what in the world is yitb253?)
as1.appl.wi.voyager.net
Non-contest faked self spots?????
217.79.65.77 K5RN -@: LZ2KV
217.79.65.77 W2END -@ LZ2KV
217.79.65.77 W2END-@: LZ2KV
217.79.65.77 W9EV-@: LZ2KV
traces to border1.telecoms.bg then sat.elnics.com
(.bg is Bulgeria)
========================================================================
==
Now I am sure a bunch of you are mad at me for either accusing someone
without enough evidence or for just filling up your inbox with a huge
bunch of junk... But what I hope is that word gets around that if you
really want to cheat by spotting yourself it is getting harder and
harder to hide your tracks... maybe you would be better off spending
more time developing operating skills and less trying to cheat on the
internet.
One thing that is funny about spots for some of these stations is that
they get spotted a lot anyway. And in past investigations a self spot,
especially ones just after band or frequency changes, is often put in
just before a real spot, in many nodes that makes the real spot look
like a dupe and it is blocked.
As some of you will undoubtedly attack me for this... SHIELDS UP, so
FLAME ON! Full cluster logs for the weekend, and now an (almost)
complete log of dxsummit spots with IP's will be available to contest
sponsors if they want it for further investigation.
David Robbins K1TTT
e-mail: mailto:k1ttt@arrl.net
web: http://www.k1ttt.net
AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
|