[CQ-Contest] self spotting abuses in WPX CW

Hamad, 9K2HN 9k2hn at 9k2hn.com
Mon May 26 23:22:18 EDT 2003


Hi Dave & All,

    I really liked your e-mail and it is nice to stop this self spotting
thing, but I saw my call 9K9X (op. 9K2RR) is listed as self spotter, first
just to let every one know that I will not allow any thing like this to take
place from my Station, second you may be right I noticed that all these
spots are from the same ip and after few checks with these guys I came to
know that have done so from the club PC using their internet connection
without any request from the operator, as you know our club is open every
day and if you are known member you can be there for 24h also. so it seems
that these spot are from the club 9K2RA.

I hope this clear every thing out

de 9k2hn

----- Original Message ----- 
From: "David Robbins K1TTT" <k1ttt at arrl.net>
To: "reflector cq-contest" <CQ-Contest at contesting.com>
Sent: Sunday, May 25, 2003 11:15 PM
Subject: [CQ-Contest] self spotting abuses in WPX CW


> This is long.  It contains lots of data.  It will be controversial.  I
> am presenting lots of observations that may have other explanations.
> Blame it on a rainy weekend with a s/o guest op.
>
> All that said, I think it is time to reveal some of the 'secrets' of the
> current internet linked dx spotting network.  In particular where it
> comes to tracking apparent self spotting during contests.  Note, that
> some of this type of data has been provided to contest sponsors for the
> last couple years in various contests... I don't know what they have
> done with it for sure as I haven't gone back and matched up my
> suspicions with the final published results.  But I do think that
> putting some more of it out in the open may make some of the abusers
> think twice about trying it in the future... of course it may just make
> them smarter and trickier, but then again the capabilities of the
> network are growing regularly also.
>
> You may have seen some of this type of data after some contests in the
> past, and some of the people who have published it have come under
> personal attack, including threats of violence... it is amazing in my
> view that a hobby such as this can come to such extremes that people
> want to cheat the system to do better, and then when they are caught try
> to hide the facts or become abusive.
>
> First some technical background.  Every time you connect to a computer
> on the internet the computer you connect to gets your IP address.  This
> is the 4 number address like 127.0.0.1 that you may have seen in various
> places while setting up your computer.  The exchange of IP addresses is
> part of the communications protocol and you can not make a connection
> without giving the other computer your address.  Every computer on the
> internet has one of these addresses, and every one is unique... There
> are some networks that group a bunch of machines behind one IP address,
> but these are generally small and the internet visible IP address is
> still unique.  There are also some rf gateways that use one IP address
> for all the users, but again, the internet IP address is still unique
> for that gateway.  It is also possible to trace IP addresses back to
> their source.  It is not always possible to get to the originating
> machine, but normally the ISP or last major network hub can be
> identified.  Even on dialup networks that assign IP addresses
> dynamically each time you connect there are traces and at least the ISP
> and often the area of a city can be identified.  When tracing IP
> addresses you can translate the numbers back into the domain names, like
> how 140.186.101.248=>k1ttt.net.  Usually these names mean something to
> someone, often abbreviations for city or country names are included in
> routers to make them easier to locate.  Many routers outside the U.S.
> include either a company name or country telecom authority name.  But
> for this analysis the important thing is that IP addresses are unique to
> one machine or one gateway on the internet.
>
> Next, the network problem.  There are probably 3 major ways to get spots
> into the network these days.  First are users who connect via rf to a
> cluster node.  This is a rapidly dwindling group and doesn't seem to be
> a problem, or at least not a big one as local sysops can monitor these
> fairly easily and spot strange connections.  Second are the 'telnet'
> cluster nodes.  AR-Cluster, CLX, DXSpider, etc, are common software
> packages that run these nodes.  These are the source of reports you may
> have seen in the past.  All these node can record a log of ip addresses
> used to connect to them along with callsigns and the spots entered...
> details of how long the data is kept and the ways to save and extract it
> vary, but they can all do it.  The third major source is
> www.dxsummit.com.  This is a very popular web based site that allows
> users to put in dx spots from a web page interface.  Through various
> mechanisms these spots are then sent out onto the cluster network for
> distribution to the rest of the world.
>
> In the past there were several pattern based approaches to spotting self
> spotting abuses during contests.  These abusers were first noticed when
> a user on the cluster network noticed a spot come out under his call
> that he didn't put out.  Further research revealed that several stations
> who were being spotted frequently were being spotted by calls that
> didn't exist, calls who had never made another spot on the network,
> calls who only spotted them but no one else, and a couple other odd
> things.   Or the spots had obvious patterns like all exactly on the same
> frequency, all the comments were the same, they were spotted immediately
> after a frequency or band change, or spots came from stations that
> shouldn't have propagation at the time.  Most of these would be
> considered circumstantial evidence, though in some cases it was so
> obvious over the period of a contest that it could not be ignored.
>
> By manually tracing spots back to their originating cluster nodes it was
> possible in some cases to get IP addresses and trace them.  Every
> internet node can record a log of ip address vs callsign, not all of
> them keep the data for long and some sysops don't know how to enable it
> or extract the data, but on the popular nodes it is usually fairly easy
> to get the data.  In most of the suspect cases the IP addresses came
> back to the country of the station that was being spotted.  In some
> cases dozens of callsigns were being used from one IP address to login
> to a cluster node, make a spot for one station, then disconnect.  By
> using some simple database tools it is now possible to correlate
> callsigns to IP addresses and in one easy step come up with a list of
> suspicious user calls.  It is then easy to find dx spots that have
> originated from those user calls and spot the obvious patterns... here
> is a sample of the first 36 hours or so of the 2003 WPX CW test results
> from data on just my node:
>
> In each of the groups below there is the IP address followed by the
> callsign used to login to the node.  Each of these is followed by the dx
> spots that were made by that call during the contest.  The last entry in
> each group is the location where the trace of that IP address ended
> up(not necessarily the machine itself, but an indication of where the
> connection was from as I noted above).
>
> ========================================================================
> ==
> 193.248.78.117 N3RF
>     7003.6  TO5AA       24-May-2003 0146Z  FM5
> 193.248.78.117 RW3QC
>    14006.0  TO5AA       23-May-2003 0109Z  FM5
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> 80.9.204.183 RA3WFS
>     7026.2  TO5AA       24-May-2003 2242Z  FM5
>    14030.7  TO5AA       24-May-2003 2151Z  FM5
> 80.9.204.183 W4BFB
>    21027.0  TO5AA       25-May-2003 1219Z  from FM5
>    14030.0  TO5AA       25-May-2003 0519Z
>     7006.7  TO5AA       25-May-2003 0431Z
>     7025.0  TO5AA       25-May-2003 0039Z
>    21030.6  TO5AA       24-May-2003 1657Z
>    28029.0  TO5AA       24-May-2003 1615Z
>    28029.0  TO5AA       24-May-2003 1614Z  FM5
> nslam106.francetelecom.net
>
> 193.248.78.179 K3LSX
>     no spots???
> 193.248.78.179 RK3QWA
>    21032.6  TO5AA       24-May-2003 1325Z
>    21032.5  TO5AA       24-May-2003 1216Z
> P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 195.5.3.203 DS2BGN
>    21033.6  UU7J        24-May-2003 0433Z
> 195.5.3.203 JA1FDG
>    21060.3  UU7J        24-May-2003 0815Z  TEST
> 195.5.3.203 JA2SZC
>    21037.1  UU7J        24-May-2003 0605Z
> 195.5.3.203 JH2NWP
>    14056.3  UU7         24-May-2003 1434Z
> 195.5.3.203 PY5CC
>    14052.2  PT5A        25-May-2003 0044Z  WPX contest
>     7051.6  UU7J        25-May-2003 0018Z
>    28023.0  ZW5B        24-May-2003 2334Z
>    21031.0  PR0F        24-May-2003 2203Z  WPX Fernando de Noronha
> ukrtel-gw.rascom.ru
>
> ========================================================================
> ==
> 213.235.179.18 OK1FJD
>     7019.0  OL3A        25-May-2003 0458Z
>    14037.4  N2MM        24-May-2003 1232Z
>    21039.4  OL3A        24-May-2003 1211Z
>    21007.0  SU9NC       24-May-2003 1211Z
>    21039.0  OL3A        24-May-2003 1100Z
>    21028.0  8P1A        24-May-2003 1100Z
>    21013.2  P41P        24-May-2003 1058Z
>    21066.9  OH3OJ       24-May-2003 0746Z
>    21028.0  OL3A        24-May-2003 0745Z
> 213.235.179.18 UA3JDF
>    14052.0  OL3A        24-May-2003 0652Z
>    14052.0  OL3A        24-May-2003 0644Z
>    14038.8  OL3A        24-May-2003 0638Z
> 213.235.179.18 UA9FGY
>    14013.0  OD5/OK1MU   24-May-2003 0727Z
>    21027.0  OL3A        24-May-2003 0724Z
>    21027.0  OL3A        24-May-2003 0721Z
> 213.235.179.18 UA9II
>    21026.4  OL3A        24-May-2003 1022Z
>    21060.4  RO4M/6      24-May-2003 1019Z
>    14017.0  OL3A        24-May-2003 1019Z
> 213.235.179.18 UA9JFG
>    14017.0  OL3A        24-May-2003 1018Z
>    14017.4  OL3A        24-May-2003 0910Z
>    and other calls also
> 213.235.179.18 UA9JGF
>    21027.0  OL3A        24-May-2003 0713Z
>    14031.1  SV5/DJ5AA/P  24-May-2003 0703Z
>    14052.0  OL3A        24-May-2003 0656Z
> atm-2-0-69.Plzn-364.net.tiscali.cz
> ========================================================================
> ==
>
> Oh well, I probably just lost a few users of my node by publishing this
> information... but there are hundreds more real users out there anyway.
> Just remember, other nodes have this same capability... and any sysop
> who wants to either provide me with their database for analysis or who
> wants to know how to use MS-Access to do this is welcome to contact
> me... for other databases I could give you the SQL for the lookup but
> you would have to adjust it for your table and field names.
>
> In the past some of these would have slipped through the cracks because
> they made other spots so they would not have matched our pattern
> checking, but when correlating IP addresses directly there is much less
> doubt.  When we first did this correlation on the cluster nodes there
> were MANY more hits than this, obviously some cheaters have either quit
> or changed their tactics.  Hopefully this will get passed around again
> and discourage some more of them from doing this in the future.
>
> Also a problem in the past has been that spots fitting some of the
> patterns we were looking for were coming from www.dxsummit.com.  These
> were basically a dead end.  We could group them, count them, show that
> some of the calls being used were not active or had never entered
> another spot, but we could not trace them to an IP address.
>
> Now, on to the new stuff... But first a short story.  A couple months
> ago I was contacted by an agent of the U.S. Secret Service.  Someone had
> reported announcements made on the cluster network that contained
> comments like "death to bush" or some such threatening phrases.  Yes,
> they do take these things seriously!  These were traced through the
> network back to k1ttt-14 so I was contacted to see where they came from.
> K1ttt-14 happens to be my software that sucks dx spots from
> www.dxsummit.com via the #cqdx IRC channel and inserts them into the
> network for the rest of the world to see.  There are other gateways like
> this but mine seems to be the fastest so most of them from that site
> come out with my node as the source.  I have in the past tried to get
> access to the dxsummit IP address logs that their web pages said they
> kept but had not been successful, so I told the agent that the original
> source of those comments came from there, gave him the web and email
> addresses and left it at that... I have not heard back from him since.
> BUT, shortly after that I got an email from an operator of dxsummit
> telling me they had a new page that listed the ip addresses of all
> inputs to the web site... no explanation of why they added it, or why he
> was telling me specifically about it, but it is there.  And here for the
> first time is an analysis of that data.
>
> But first the standard disclaimer... there may be various explanations
> for some of these, common rf gateways, local friends making spots using
> their own calls, and possibly others... but if you compare where the ip
> address traces to with the callsigns that login there some of them are
> very odd.  And of course the decisions of the contest sponsors are final
> when it comes to judging contest logs.
>
> These are simpler to read since all the data is in one table... all I
> show is the IP address, the callsign put in at dxsummit(with the -@ that
> dxsummit adds) and the call that was spotted.  After each block of IP
> addresses is the end of the trace as described above:
>
> ========================================================================
> ==
> A busy group of spotters from around the world using this IP...
> 200.11.86.85 4Z5MU-@: D88S
> 200.11.86.85 DJ1ZU-@: D88S
> 200.11.86.85 DL2AN-@: D88S
> 200.11.86.85 EA2RC-@: D88S
> 200.11.86.85 ES5TV-@: D88S
> 200.11.86.85 F5BPK-@: D88S
> 200.11.86.85 F5UKL-@: D88S
> 200.11.86.85 G3IGZ-@: D88S
> 200.11.86.85 HA1CW-@: D88S
> 200.11.86.85 HA8KW-@: D88S
> 200.11.86.85 HG6N-@: D88S
> 200.11.86.85 HG9X-@: D88S
> 200.11.86.85 K5TTN-@: D88S
> 200.11.86.85 LY4CW-@: D88S
> 200.11.86.85 LZ2DL-@: D88S
> 200.11.86.85 N7IR-@: D88S
> 200.11.86.85 NG6O-@: D88S
> 200.11.86.85 OM5M-@: D88S
> 200.11.86.85 PT5A-@: D88S
> 200.11.86.85 RW3RN-@: D88S
> 200.11.86.85 SP5ELA-@: D88S
> 200.11.86.85 UU2JQ-@: D88S
> 200.11.86.85 W0GG-@: D88S
> 200.11.86.85 YT6A-@: D88S
> 200.11.86.85 YU1EQ-@: D88S
> traces to ac6.cnt.entelchile.net  then no response
> Sorry I don't read much Spanish, but http://www.entelchile.net/ appears
> to be a Chilean ISP site.
>
> ========================================================================
> ==
> 68.160.203.138 AK2P-@: W2/UR5DEM
> 68.160.203.138 I3HNS-@: W2/UR5DEM
> 68.160.203.138 OK3DS-@: W2/UR5DEM
> 68.160.203.138 PA0RDS-@: W2/UR5DEM
> 68.160.203.138 UX5WWL-@: W2/UR5DEM
> 68.160.203.138 YU2DG-@: W2/UR5DEM
> pool-68-160-203-138.ny325.east.verizon.net
>
> 68.161.84.221 DK2RF-@: W2/UR5DEM
> 68.161.84.221 PA0DXV-@: W2/UR5DEM
> pool-68-161-84-221.ny325.east.verizon.net
>
> 68.161.81.13 AK2P-@: W2/UR5DEM
> 68.161.81.13 DF0SF-@: W2/UR5DEM
> 68.161.81.13 F2RY-@: W2/UR5DEM
> 68.161.81.13 HA2DR-@: W2/UR5DEM
> 68.161.81.13 HA3SF-@: W2/UR5DEM
> 68.161.81.13 I4GTS-@: W2/UR5DEM
> 68.161.81.13 KC2LLM-@: W2/UR5DEM
> 68.161.81.13 PP2DX-@: W2/UR5DEM
> 68.161.81.13 WY6DX-@: W2/UR5DEM
> A3-0-0-1716.DSL-RTR4.NY325.verizon-gni.net
>
> ========================================================================
> ==
> The following group of to5aa spotters seems to have a lot of different
> ip's, though they all seem to trace back to something with "LeLamentin"
> which I believe is something in Martinique.
> 193.248.76.234 F6HEQ-@: TO5AA
> 193.248.76.234 FM5BH-@: TO5AA
> 193.248.76.234 FM5FJ-@: FM5/TO5AA
> traces to P0-0-0.nclam101.LeLamentin.francetelecom.net then no response
>
> 80.9.204.176 F6HEQ-@: TO5AA
> 80.9.204.176 F8AAN-@: TO5AA
> 80.9.204.176 FM5WD-@: TO5AA
> IPBRXNCLAM2.GW.opentransit.net (francetelecom.net doesn't show on this
> one but this same path led to 193.248.76.234 above)
>
> 80.9.204.110 F6HEQ-@: TO5AA
> 80.9.204.110 F8AAN-@: TO5AA
> 80.9.204.110 FM5DN-@: TO5AA
> 80.9.204.110 FM5DS-@: TO5AA
> P0-0-0.nclam102.LeLamentin.francetelecom.net
>
> 193.248.77.43 F6HEQ-@: TO5AA
> 193.248.77.43 F8AAN-@: TO5AA
> 193.248.77.43 FM5DN-@: TO5AA
> 193.248.77.43 FM5DS-@: TO5AA
> Mix-Le-Lamentin-101-2-43.w193-248.abo.wanadoo.fr
> (.fr is for france)
>
> 193.248.77.177 F6HEQ-@: TO5AA
> 193.248.77.177 FM5DN-@: TO5AA
> 193.248.77.177 FM5FJ-@: TO5AA
> nslam101.francetelecom.net
>
> remember, there were also users logged into my node that spotted to5aa:
> N3RF & RW3QC from P0-0-0.nclam101.LeLamentin.francetelecom.net
> W4BFB & RA3WFS from nslam106.francetelecom.net
> RK3QWA & K3LSX from P0-0-0.nclam101.LeLamentin.francetelecom.net
>
> ========================================================================
> ==
> 219.112.10.163 RN4WA-@: JM1TUY
> 219.112.10.163 VK2ASW-@: JM1TUY
> 219.112.10.163 W2QU-@: JM1TUY
> traces to ge-3-0-0.a08.tokyjp01.jp.ra.verio.net then only numbered
>
> ========================================================================
> ==
> local friends from the same gateways??
>
> 80.92.193.254 RW9AE-@: RA9JR
> 80.92.193.254 RX9JW-@: RA9JR
> 80.92.193.254 UA9JMB-@: RA9JR
> traces to neptune.helios-net.ru
>
> 195.42.147.217 UA9JMB-@: RA9JR
> 195.42.147.217 UN7FZ-@: RA9JR
> traces to gw-prime-arcon.arcon.ru then only numbered
>
> (.ru is for Russia)
> ========================================================================
> ==
> 193.111.10.205 DL8WN-@: EY3M
> 193.111.10.205 RA3OO-@: EY3M
> traces to babylon_t--satis-1-s0-2.telekom.ru then only numbered
> (.ru is for Russia)
> ========================================================================
> ==
> 195.239.235.42 RW4HW-@: RT4I
> 195.239.235.42 YL2KA-@: RT4I
> traces to volgogaz-gw.Samara.gldn.net then only numbered
>
> ========================================================================
> ==
> 213.190.40.247 JH2AMH-@: LY4CW
> 213.190.40.247 MM0BQS-@: LY4CW
> 213.190.40.247 PA3FNE-@: LY4CW
> 213.190.40.247 PP7CW-@: LY4CW
> 213.190.40.247 SP3PKL-@: LY4CW
> 213.190.40.247 UR4IYZ-@: LY4CW
> adsl-213-190-40-247.takas.lt
> DSL in Lithuania!  Wish I could get that here!
> (.lt is for Lithuania)
>
> ========================================================================
> ==
> 202.179.6.6 OH6FT-@: JT1CO
> 202.179.6.6 UR5ERW-@: JT1CO
> as5400.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> 202.179.4.56 DXER-@: 4W2DN  (DXER uncovered????)
> 202.179.4.56 JT1BV-@: JT1CO
> 202.179.4.56 JT1BV-@: WV6E
> as5300-56.ub.mng.net (www.ub.mng.net calls itself mongol.net)
>
> ========================================================================
> ==
> 212.94.115.2 DJ3XG-@:   PR0F
> 212.94.115.2 JH1AXN-@: UA9YAB
> 212.94.115.2 JK1QWX-@: UA9YAB
> 212.94.115.2 JL8UJZ-@: UA9YAB
> 212.94.115.2 LZ3DB-@: UA9YAB
> telku.biysk.ru
> (.ru is for Russia)
>
> ========================================================================
> ==
> a bunch of local friends on a common gateway maybe?
>
> 213.189.83.103 9K2AI-@: 9K9X
> 213.189.83.103 9K2RO-@: 9K9X
> 213.189.83.103 9K2SD-@: 9K9X
> 213.189.83.103 9K2YH-@: 9K9X
> NYC-ag4.NYC.US.net.DTAG.DE then into an unnamed network
>
> 62.150.84.67 9K2RO-@: 9K9X
> 62.150.84.67 9K2YH-@: 9K9X
> csk009.emirates.net.ae then into an unnamed network
> (.ae is for UAE)
> ========================================================================
> ==
>
> An interesting combination of spotting stations and spots from one ip
> address.
> 212.253.129.11 9A3PA-@: YM2ZF
> 212.253.129.11 JA0GJJ-@: YM2ZF
> 212.253.129.11 JA6CUX-@: YM2ZF
> 212.253.129.11 JM1TUY-@: 7X2RS
> 212.253.129.11 JM1TUY-@: YM2ZF
> 212.253.129.11 JM1TUYT-@ TA2ZF (a slip of the finger or mind?)
> 212.253.129.11 KC1F-@: TK5KP (I know him, he spots from k1ea node)
> 212.253.129.11 KC1F-@: YM2ZF
> 212.253.129.11 M0DXR-@: YM2ZF
> 212.253.129.11 RV4LC-@: YM2ZF
> 212.253.129.11 UT3UA-@: YM2ZF
> 212.253.129.11 UU0JM-@: YM2ZF
> 212.253.129.11 UU2JQ-@: YM2ZF
> 212.253.129.11 UX5UO-@: YM2ZF
> 212.253.129.11 Z35W-@: 3A2MW
> 212.253.129.11 Z35W-@: TK5KP
> traces to BS-EA1.BS.DE.NET.DTAG.DE then goes into unnamed network
> (.de is Germany)
>
> ========================================================================
> ==
> A couple other odd things that showed up:
>
> 68.155.11.108 N2WN-@: AL1G
> 68.155.11.108 NOEARS-@: A61AJ  (A complainer unmasked?!?!)
> ixc01tys-8-1-1.bellsouth.net
>
> 169.207.127.70 BR549-@: CB20
> 169.207.127.70 WA9GJU-@: YITB253  (what in the world is yitb253?)
> as1.appl.wi.voyager.net
>
> Non-contest faked self spots?????
> 217.79.65.77 K5RN -@: LZ2KV
> 217.79.65.77 W2END  -@ LZ2KV
> 217.79.65.77 W2END-@: LZ2KV
> 217.79.65.77 W9EV-@: LZ2KV
> traces to border1.telecoms.bg then sat.elnics.com
> (.bg is Bulgeria)
>
> ========================================================================
> ==
>
> Now I am sure a bunch of you are mad at me for either accusing someone
> without enough evidence or for just filling up your inbox with a huge
> bunch of junk... But what I hope is that word gets around that if you
> really want to cheat by spotting yourself it is getting harder and
> harder to hide your tracks... maybe you would be better off spending
> more time developing operating skills and less trying to cheat on the
> internet.
>
> One thing that is funny about spots for some of these stations is that
> they get spotted a lot anyway.  And in past investigations a self spot,
> especially ones just after band or frequency changes, is often put in
> just before a real spot, in many nodes that makes the real spot look
> like a dupe and it is blocked.
>
> As some of you will undoubtedly attack me for this... SHIELDS UP, so
> FLAME ON!  Full cluster logs for the weekend, and now an (almost)
> complete log of dxsummit spots with IP's will be available to contest
> sponsors if they want it for further investigation.
>
>
> David Robbins K1TTT
> e-mail: mailto:k1ttt at arrl.net
> web: http://www.k1ttt.net
> AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
>
>
>
>
> ---------------------------------------------------------------
>     The world's top contesters battle it out in Finland!
> THE OFFICIAL FILM of WRTC 2002 now on professional DVD and VHS!
>        http://home1.pacific.net.sg/~jamesb/
> ---------------------------------------------------------------
>
> _______________________________________________
> CQ-Contest mailing list
> CQ-Contest at contesting.com
> http://lists.contesting.com/mailman/listinfo/cq-contest
>




More information about the CQ-Contest mailing list