[CQ-Contest] self spotting abuses in WPX CW

Eric Castro py2emc at pobox.com
Wed May 28 01:57:34 EDT 2003


Hi All,

Well .... D88S is not a valid spot from PT5A team in Boa Vista. We were
to busy to QSOing.
We did not spoted anyone in the contest and our packet connection is RF
(1200Bauds VHF) to a local cluster in Santa Catarina City. As David
said, someone from web interface at DX-SUMMIT did it.

I was surprised when I saw the trace !

73's & DX
Eric - PY2EMC
http://www.cwsp.org.br


-----Original Message-----
From: cq-contest-bounces at contesting.com
[mailto:cq-contest-bounces at contesting.com] On Behalf Of David Robbins
K1TTT
Sent: domingo, 25 de maio de 2003 17:15
To: reflector cq-contest
Subject: [CQ-Contest] self spotting abuses in WPX CW


This is long.  It contains lots of data.  It will be controversial.  I
am presenting lots of observations that may have other explanations.
Blame it on a rainy weekend with a s/o guest op.

All that said, I think it is time to reveal some of the 'secrets' of the
current internet linked dx spotting network.  In particular where it
comes to tracking apparent self spotting during contests.  Note, that
some of this type of data has been provided to contest sponsors for the
last couple years in various contests... I don't know what they have
done with it for sure as I haven't gone back and matched up my
suspicions with the final published results.  But I do think that
putting some more of it out in the open may make some of the abusers
think twice about trying it in the future... of course it may just make
them smarter and trickier, but then again the capabilities of the
network are growing regularly also.  

You may have seen some of this type of data after some contests in the
past, and some of the people who have published it have come under
personal attack, including threats of violence... it is amazing in my
view that a hobby such as this can come to such extremes that people
want to cheat the system to do better, and then when they are caught try
to hide the facts or become abusive.

First some technical background.  Every time you connect to a computer
on the internet the computer you connect to gets your IP address.  This
is the 4 number address like 127.0.0.1 that you may have seen in various
places while setting up your computer.  The exchange of IP addresses is
part of the communications protocol and you can not make a connection
without giving the other computer your address.  Every computer on the
internet has one of these addresses, and every one is unique... There
are some networks that group a bunch of machines behind one IP address,
but these are generally small and the internet visible IP address is
still unique.  There are also some rf gateways that use one IP address
for all the users, but again, the internet IP address is still unique
for that gateway.  It is also possible to trace IP addresses back to
their source.  It is not always possible to get to the originating
machine, but normally the ISP or last major network hub can be
identified.  Even on dialup networks that assign IP addresses
dynamically each time you connect there are traces and at least the ISP
and often the area of a city can be identified.  When tracing IP
addresses you can translate the numbers back into the domain names, like
how 140.186.101.248=>k1ttt.net.  Usually these names mean something to
someone, often abbreviations for city or country names are included in
routers to make them easier to locate.  Many routers outside the U.S.
include either a company name or country telecom authority name.  But
for this analysis the important thing is that IP addresses are unique to
one machine or one gateway on the internet.

Next, the network problem.  There are probably 3 major ways to get spots
into the network these days.  First are users who connect via rf to a
cluster node.  This is a rapidly dwindling group and doesn't seem to be
a problem, or at least not a big one as local sysops can monitor these
fairly easily and spot strange connections.  Second are the 'telnet'
cluster nodes.  AR-Cluster, CLX, DXSpider, etc, are common software
packages that run these nodes.  These are the source of reports you may
have seen in the past.  All these node can record a log of ip addresses
used to connect to them along with callsigns and the spots entered...
details of how long the data is kept and the ways to save and extract it
vary, but they can all do it.  The third major source is
www.dxsummit.com.  This is a very popular web based site that allows
users to put in dx spots from a web page interface.  Through various
mechanisms these spots are then sent out onto the cluster network for
distribution to the rest of the world.
 
In the past there were several pattern based approaches to spotting self
spotting abuses during contests.  These abusers were first noticed when
a user on the cluster network noticed a spot come out under his call
that he didn't put out.  Further research revealed that several stations
who were being spotted frequently were being spotted by calls that
didn't exist, calls who had never made another spot on the network,
calls who only spotted them but no one else, and a couple other odd
things.   Or the spots had obvious patterns like all exactly on the same
frequency, all the comments were the same, they were spotted immediately
after a frequency or band change, or spots came from stations that
shouldn't have propagation at the time.  Most of these would be
considered circumstantial evidence, though in some cases it was so
obvious over the period of a contest that it could not be ignored.

By manually tracing spots back to their originating cluster nodes it was
possible in some cases to get IP addresses and trace them.  Every
internet node can record a log of ip address vs callsign, not all of
them keep the data for long and some sysops don't know how to enable it
or extract the data, but on the popular nodes it is usually fairly easy
to get the data.  In most of the suspect cases the IP addresses came
back to the country of the station that was being spotted.  In some
cases dozens of callsigns were being used from one IP address to login
to a cluster node, make a spot for one station, then disconnect.  By
using some simple database tools it is now possible to correlate
callsigns to IP addresses and in one easy step come up with a list of
suspicious user calls.  It is then easy to find dx spots that have
originated from those user calls and spot the obvious patterns... here
is a sample of the first 36 hours or so of the 2003 WPX CW test results
from data on just my node:

In each of the groups below there is the IP address followed by the
callsign used to login to the node.  Each of these is followed by the dx
spots that were made by that call during the contest.  The last entry in
each group is the location where the trace of that IP address ended
up(not necessarily the machine itself, but an indication of where the
connection was from as I noted above).  

========================================================================
==
193.248.78.117	N3RF
    7003.6  TO5AA       24-May-2003 0146Z  FM5
193.248.78.117	RW3QC
   14006.0  TO5AA       23-May-2003 0109Z  FM5
P0-0-0.nclam101.LeLamentin.francetelecom.net

80.9.204.183	RA3WFS
    7026.2  TO5AA       24-May-2003 2242Z  FM5 
   14030.7  TO5AA       24-May-2003 2151Z  FM5 
80.9.204.183	W4BFB
   21027.0  TO5AA       25-May-2003 1219Z  from FM5
   14030.0  TO5AA       25-May-2003 0519Z          
    7006.7  TO5AA       25-May-2003 0431Z          
    7025.0  TO5AA       25-May-2003 0039Z          
   21030.6  TO5AA       24-May-2003 1657Z          
   28029.0  TO5AA       24-May-2003 1615Z          
   28029.0  TO5AA       24-May-2003 1614Z  FM5     
nslam106.francetelecom.net

193.248.78.179	K3LSX
    no spots???
193.248.78.179	RK3QWA
   21032.6  TO5AA       24-May-2003 1325Z
   21032.5  TO5AA       24-May-2003 1216Z
P0-0-0.nclam101.LeLamentin.francetelecom.net

========================================================================
==
195.5.3.203	DS2BGN
   21033.6  UU7J        24-May-2003 0433Z
195.5.3.203	JA1FDG
   21060.3  UU7J        24-May-2003 0815Z  TEST
195.5.3.203	JA2SZC
   21037.1  UU7J        24-May-2003 0605Z      
195.5.3.203	JH2NWP
   14056.3  UU7         24-May-2003 1434Z      
195.5.3.203	PY5CC
   14052.2  PT5A        25-May-2003 0044Z  WPX contest
    7051.6  UU7J        25-May-2003 0018Z             
   28023.0  ZW5B        24-May-2003 2334Z             
   21031.0  PR0F        24-May-2003 2203Z  WPX Fernando de Noronha 
ukrtel-gw.rascom.ru

========================================================================
==
213.235.179.18	OK1FJD
    7019.0  OL3A        25-May-2003 0458Z 
   14037.4  N2MM        24-May-2003 1232Z 
   21039.4  OL3A        24-May-2003 1211Z 
   21007.0  SU9NC       24-May-2003 1211Z 
   21039.0  OL3A        24-May-2003 1100Z 
   21028.0  8P1A        24-May-2003 1100Z 
   21013.2  P41P        24-May-2003 1058Z 
   21066.9  OH3OJ       24-May-2003 0746Z 
   21028.0  OL3A        24-May-2003 0745Z 
213.235.179.18	UA3JDF
   14052.0  OL3A        24-May-2003 0652Z 
   14052.0  OL3A        24-May-2003 0644Z 
   14038.8  OL3A        24-May-2003 0638Z 
213.235.179.18	UA9FGY
   14013.0  OD5/OK1MU   24-May-2003 0727Z 
   21027.0  OL3A        24-May-2003 0724Z 
   21027.0  OL3A        24-May-2003 0721Z 
213.235.179.18	UA9II
   21026.4  OL3A        24-May-2003 1022Z 
   21060.4  RO4M/6      24-May-2003 1019Z 
   14017.0  OL3A        24-May-2003 1019Z 
213.235.179.18	UA9JFG
   14017.0  OL3A        24-May-2003 1018Z 
   14017.4  OL3A        24-May-2003 0910Z 
   and other calls also
213.235.179.18	UA9JGF
   21027.0  OL3A        24-May-2003 0713Z 
   14031.1  SV5/DJ5AA/P  24-May-2003 0703Z
   14052.0  OL3A        24-May-2003 0656Z 
atm-2-0-69.Plzn-364.net.tiscali.cz
========================================================================
==

Oh well, I probably just lost a few users of my node by publishing this
information... but there are hundreds more real users out there anyway.
Just remember, other nodes have this same capability... and any sysop
who wants to either provide me with their database for analysis or who
wants to know how to use MS-Access to do this is welcome to contact
me... for other databases I could give you the SQL for the lookup but
you would have to adjust it for your table and field names.

In the past some of these would have slipped through the cracks because
they made other spots so they would not have matched our pattern
checking, but when correlating IP addresses directly there is much less
doubt.  When we first did this correlation on the cluster nodes there
were MANY more hits than this, obviously some cheaters have either quit
or changed their tactics.  Hopefully this will get passed around again
and discourage some more of them from doing this in the future.

Also a problem in the past has been that spots fitting some of the
patterns we were looking for were coming from www.dxsummit.com.  These
were basically a dead end.  We could group them, count them, show that
some of the calls being used were not active or had never entered
another spot, but we could not trace them to an IP address.

Now, on to the new stuff... But first a short story.  A couple months
ago I was contacted by an agent of the U.S. Secret Service.  Someone had
reported announcements made on the cluster network that contained
comments like "death to bush" or some such threatening phrases.  Yes,
they do take these things seriously!  These were traced through the
network back to k1ttt-14 so I was contacted to see where they came from.
K1ttt-14 happens to be my software that sucks dx spots from
www.dxsummit.com via the #cqdx IRC channel and inserts them into the
network for the rest of the world to see.  There are other gateways like
this but mine seems to be the fastest so most of them from that site
come out with my node as the source.  I have in the past tried to get
access to the dxsummit IP address logs that their web pages said they
kept but had not been successful, so I told the agent that the original
source of those comments came from there, gave him the web and email
addresses and left it at that... I have not heard back from him since.
BUT, shortly after that I got an email from an operator of dxsummit
telling me they had a new page that listed the ip addresses of all
inputs to the web site... no explanation of why they added it, or why he
was telling me specifically about it, but it is there.  And here for the
first time is an analysis of that data.

But first the standard disclaimer... there may be various explanations
for some of these, common rf gateways, local friends making spots using
their own calls, and possibly others... but if you compare where the ip
address traces to with the callsigns that login there some of them are
very odd.  And of course the decisions of the contest sponsors are final
when it comes to judging contest logs.

These are simpler to read since all the data is in one table... all I
show is the IP address, the callsign put in at dxsummit(with the -@ that
dxsummit adds) and the call that was spotted.  After each block of IP
addresses is the end of the trace as described above:

========================================================================
==
A busy group of spotters from around the world using this IP...
200.11.86.85	4Z5MU-@:	D88S
200.11.86.85	DJ1ZU-@:	D88S
200.11.86.85	DL2AN-@:	D88S
200.11.86.85	EA2RC-@:	D88S
200.11.86.85	ES5TV-@:	D88S
200.11.86.85	F5BPK-@:	D88S
200.11.86.85	F5UKL-@:	D88S
200.11.86.85	G3IGZ-@:	D88S
200.11.86.85	HA1CW-@:	D88S
200.11.86.85	HA8KW-@:	D88S
200.11.86.85	HG6N-@:	D88S
200.11.86.85	HG9X-@:	D88S
200.11.86.85	K5TTN-@:	D88S
200.11.86.85	LY4CW-@:	D88S
200.11.86.85	LZ2DL-@:	D88S
200.11.86.85	N7IR-@:	D88S
200.11.86.85	NG6O-@:	D88S
200.11.86.85	OM5M-@:	D88S
200.11.86.85	PT5A-@:	D88S
200.11.86.85	RW3RN-@:	D88S
200.11.86.85	SP5ELA-@:	D88S
200.11.86.85	UU2JQ-@:	D88S
200.11.86.85	W0GG-@:	D88S
200.11.86.85	YT6A-@:	D88S
200.11.86.85	YU1EQ-@:	D88S
traces to ac6.cnt.entelchile.net  then no response
Sorry I don't read much Spanish, but http://www.entelchile.net/ appears
to be a Chilean ISP site.

========================================================================
==
68.160.203.138	AK2P-@:	W2/UR5DEM
68.160.203.138	I3HNS-@:	W2/UR5DEM
68.160.203.138	OK3DS-@:	W2/UR5DEM
68.160.203.138	PA0RDS-@:	W2/UR5DEM
68.160.203.138	UX5WWL-@:	W2/UR5DEM
68.160.203.138	YU2DG-@:	W2/UR5DEM
pool-68-160-203-138.ny325.east.verizon.net

68.161.84.221	DK2RF-@:	W2/UR5DEM
68.161.84.221	PA0DXV-@:	W2/UR5DEM
pool-68-161-84-221.ny325.east.verizon.net

68.161.81.13	AK2P-@:	W2/UR5DEM
68.161.81.13	DF0SF-@:	W2/UR5DEM
68.161.81.13	F2RY-@:	W2/UR5DEM
68.161.81.13	HA2DR-@:	W2/UR5DEM
68.161.81.13	HA3SF-@:	W2/UR5DEM
68.161.81.13	I4GTS-@:	W2/UR5DEM
68.161.81.13	KC2LLM-@:	W2/UR5DEM
68.161.81.13	PP2DX-@:	W2/UR5DEM
68.161.81.13	WY6DX-@:	W2/UR5DEM
A3-0-0-1716.DSL-RTR4.NY325.verizon-gni.net

========================================================================
==
The following group of to5aa spotters seems to have a lot of different
ip's, though they all seem to trace back to something with "LeLamentin"
which I believe is something in Martinique.
193.248.76.234	F6HEQ-@:	TO5AA
193.248.76.234	FM5BH-@:	TO5AA
193.248.76.234	FM5FJ-@:	FM5/TO5AA
traces to P0-0-0.nclam101.LeLamentin.francetelecom.net then no response

80.9.204.176	F6HEQ-@:	TO5AA
80.9.204.176	F8AAN-@:	TO5AA
80.9.204.176	FM5WD-@:	TO5AA
IPBRXNCLAM2.GW.opentransit.net (francetelecom.net doesn't show on this
one but this same path led to 193.248.76.234 above)

80.9.204.110	F6HEQ-@:	TO5AA
80.9.204.110	F8AAN-@:	TO5AA
80.9.204.110	FM5DN-@:	TO5AA
80.9.204.110	FM5DS-@:	TO5AA
P0-0-0.nclam102.LeLamentin.francetelecom.net

193.248.77.43	F6HEQ-@:	TO5AA
193.248.77.43	F8AAN-@:	TO5AA
193.248.77.43	FM5DN-@:	TO5AA
193.248.77.43	FM5DS-@:	TO5AA
Mix-Le-Lamentin-101-2-43.w193-248.abo.wanadoo.fr
(.fr is for france)

193.248.77.177	F6HEQ-@:	TO5AA
193.248.77.177	FM5DN-@:	TO5AA
193.248.77.177	FM5FJ-@:	TO5AA
nslam101.francetelecom.net

remember, there were also users logged into my node that spotted to5aa:
N3RF & RW3QC from P0-0-0.nclam101.LeLamentin.francetelecom.net
W4BFB & RA3WFS from nslam106.francetelecom.net
RK3QWA & K3LSX from P0-0-0.nclam101.LeLamentin.francetelecom.net

========================================================================
==
219.112.10.163	RN4WA-@:	JM1TUY
219.112.10.163	VK2ASW-@:	JM1TUY
219.112.10.163	W2QU-@:	JM1TUY
traces to ge-3-0-0.a08.tokyjp01.jp.ra.verio.net then only numbered

========================================================================
==
local friends from the same gateways??

80.92.193.254	RW9AE-@:	RA9JR
80.92.193.254	RX9JW-@:	RA9JR
80.92.193.254	UA9JMB-@:	RA9JR
traces to neptune.helios-net.ru

195.42.147.217	UA9JMB-@:	RA9JR
195.42.147.217	UN7FZ-@:	RA9JR
traces to gw-prime-arcon.arcon.ru then only numbered

(.ru is for Russia)
========================================================================
==
193.111.10.205	DL8WN-@:	EY3M
193.111.10.205	RA3OO-@:	EY3M
traces to babylon_t--satis-1-s0-2.telekom.ru then only numbered (.ru is
for Russia)
========================================================================
==
195.239.235.42	RW4HW-@:	RT4I
195.239.235.42	YL2KA-@:	RT4I
traces to volgogaz-gw.Samara.gldn.net then only numbered

========================================================================
==
213.190.40.247	JH2AMH-@:	LY4CW
213.190.40.247	MM0BQS-@:	LY4CW
213.190.40.247	PA3FNE-@:	LY4CW
213.190.40.247	PP7CW-@:	LY4CW
213.190.40.247	SP3PKL-@:	LY4CW
213.190.40.247	UR4IYZ-@:	LY4CW
adsl-213-190-40-247.takas.lt
DSL in Lithuania!  Wish I could get that here!
(.lt is for Lithuania)

========================================================================
==
202.179.6.6	OH6FT-@:	JT1CO
202.179.6.6	UR5ERW-@:	JT1CO
as5400.ub.mng.net (www.ub.mng.net calls itself mongol.net)

202.179.4.56	DXER-@:	4W2DN  (DXER uncovered????)
202.179.4.56	JT1BV-@:	JT1CO
202.179.4.56	JT1BV-@:	WV6E
as5300-56.ub.mng.net (www.ub.mng.net calls itself mongol.net)

========================================================================
==
212.94.115.2	DJ3XG-@: 	  PR0F
212.94.115.2	JH1AXN-@:	UA9YAB
212.94.115.2	JK1QWX-@:	UA9YAB
212.94.115.2	JL8UJZ-@:	UA9YAB
212.94.115.2	LZ3DB-@:	UA9YAB
telku.biysk.ru
(.ru is for Russia)

========================================================================
==
a bunch of local friends on a common gateway maybe?

213.189.83.103	9K2AI-@:	9K9X
213.189.83.103	9K2RO-@:	9K9X
213.189.83.103	9K2SD-@:	9K9X
213.189.83.103	9K2YH-@:	9K9X
NYC-ag4.NYC.US.net.DTAG.DE then into an unnamed network

62.150.84.67	9K2RO-@:	9K9X
62.150.84.67	9K2YH-@:	9K9X
csk009.emirates.net.ae then into an unnamed network
(.ae is for UAE)
========================================================================
==

An interesting combination of spotting stations and spots from one ip
address.
212.253.129.11	9A3PA-@:	YM2ZF
212.253.129.11	JA0GJJ-@:	YM2ZF
212.253.129.11	JA6CUX-@:	YM2ZF
212.253.129.11	JM1TUY-@:	7X2RS
212.253.129.11	JM1TUY-@:	YM2ZF
212.253.129.11	JM1TUYT-@	TA2ZF (a slip of the finger or mind?)
212.253.129.11	KC1F-@:	TK5KP (I know him, he spots from k1ea node)
212.253.129.11	KC1F-@:	YM2ZF
212.253.129.11	M0DXR-@:	YM2ZF
212.253.129.11	RV4LC-@:	YM2ZF
212.253.129.11	UT3UA-@:	YM2ZF
212.253.129.11	UU0JM-@:	YM2ZF
212.253.129.11	UU2JQ-@:	YM2ZF
212.253.129.11	UX5UO-@:	YM2ZF
212.253.129.11	Z35W-@:	3A2MW
212.253.129.11	Z35W-@:	TK5KP
traces to BS-EA1.BS.DE.NET.DTAG.DE then goes into unnamed network (.de
is Germany)

========================================================================
==
A couple other odd things that showed up:

68.155.11.108	N2WN-@:	AL1G
68.155.11.108	NOEARS-@:	A61AJ  (A complainer unmasked?!?!)
ixc01tys-8-1-1.bellsouth.net

169.207.127.70	BR549-@:	CB20
169.207.127.70	WA9GJU-@:	YITB253  (what in the world is yitb253?)
as1.appl.wi.voyager.net

Non-contest faked self spots?????
217.79.65.77	K5RN -@:	LZ2KV
217.79.65.77	W2END  -@	LZ2KV
217.79.65.77	W2END-@:	LZ2KV
217.79.65.77	W9EV-@:	LZ2KV
traces to border1.telecoms.bg then sat.elnics.com
(.bg is Bulgeria)

========================================================================
==

Now I am sure a bunch of you are mad at me for either accusing someone
without enough evidence or for just filling up your inbox with a huge
bunch of junk... But what I hope is that word gets around that if you
really want to cheat by spotting yourself it is getting harder and
harder to hide your tracks... maybe you would be better off spending
more time developing operating skills and less trying to cheat on the
internet.

One thing that is funny about spots for some of these stations is that
they get spotted a lot anyway.  And in past investigations a self spot,
especially ones just after band or frequency changes, is often put in
just before a real spot, in many nodes that makes the real spot look
like a dupe and it is blocked.  

As some of you will undoubtedly attack me for this... SHIELDS UP, so
FLAME ON!  Full cluster logs for the weekend, and now an (almost)
complete log of dxsummit spots with IP's will be available to contest
sponsors if they want it for further investigation.


David Robbins K1TTT
e-mail: mailto:k1ttt at arrl.net
web: http://www.k1ttt.net
AR-Cluster node: 145.69MHz or telnet://dxc.k1ttt.net
 



---------------------------------------------------------------
    The world's top contesters battle it out in Finland!
THE OFFICIAL FILM of WRTC 2002 now on professional DVD and VHS!
       http://home1.pacific.net.sg/~jamesb/
---------------------------------------------------------------

_______________________________________________
CQ-Contest mailing list
CQ-Contest at contesting.com
http://lists.contesting.com/mailman/listinfo/cq-contest




More information about the CQ-Contest mailing list