[Dxspider-support] fraud detection

Brendan Minish ei6iz.brendan at gmail.com
Sun Dec 11 21:35:05 GMT 2011 

On Sun, 2011-12-11 at 22:04 +0100, Márkus Béla wrote: 
> Jim,
> 
> I don't think so. I do not aware any case when Ip address is changed in 
> the public network. Maybe I'm wrong.
> 
> Béla
> 

Hi Béla

I don't think this applies here..
But some of the 3G networks do carrier grade NAT now here in EI (&
probably other parts of europe) at least for customers with smart
phones, In this case you might see several users with the same IP

I am most curious about the IP in France (213.251.189.204
) that originated so many calls all with -10 
Might that be software doing something strange?

This netblock appears to be allocated to infrastructure servers of a
hosting company so it may be related to shared hosted web service of
some kind? 


[bminish at redbox ~]$ whois 213.251.189.204
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '213.251.189.0 - 213.251.189.255'

inetnum:        213.251.189.0 - 213.251.189.255
netname:        OVH
descr:          OVH SAS
descr:          Infrastructure servers
descr:          http://www.ovh.com
country:        FR
admin-c:        OK217-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         OVH-MNT
source:         RIPE # Filtered

role:           OVH Technical Contact
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
nic-hdl:        OTC2-RIPE
abuse-mailbox:  abuse at ovh.net
mnt-by:         OVH-MNT
source:         RIPE # Filtered

person:         Octave Klaba
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
phone:          +33 9 74 53 13 23
nic-hdl:        OK217-RIPE
abuse-mailbox:  abuse at ovh.net
mnt-by:         OVH-MNT
source:         RIPE # Filtered

% Information related to '213.251.128.0/18AS16276'

route:        213.251.128.0/18
descr:        OVH ISP
descr:        Paris, France
origin:       AS16276
mnt-by:       OVH-MNT
source:       RIPE # Filtered









> 2011.12.11. 18:23 keltezéssel, Jim Bayer írta:
> > I'm wondering if there is ISP address munging here.  Perhaps many public
> > addresses are aggregated at the border of an ISP (not country) and it makes
> > it look like all the requests are coming from the same address.  Like a PAT
> > address (Public Address Translation) on a grander scale.
> >
> > Just a thought...
> >
> >
> > '73
> > Jim  - KC9AOP
> >
> > -----Original Message-----
> > From: dxspider-support-bounces at dxcluster.org
> > [mailto:dxspider-support-bounces at dxcluster.org] On Behalf Of Márkus Béla
> > Sent: Sunday, December 11, 2011 10:01 AM
> > To: The DXSpider Support list
> > Subject: [Dxspider-support] fraud detection
> >
> > Thinking on fraud detection tool made some analysis on November data. It is
> > interesting to see that in huge number same IP used by different calls.
> > Usually difference is only SSID. There are club stations sharing
> > infrastructure, or a team is spending vacation abroad e.g. in EA8 or there
> > is a typo in call. But there are really interesting cases, few of them
> > (originating IP and calls used to login).
> >
> > Regards... Béla, HA5DI
> >
> >
> > 84.194.52.107 (Belgium)
> > OT4A IK1JUO DF1BO IT9RYH I0ARI IK9SKY I4RER IZ1KDO CI0RCUS JA3ERT G6YUI
> > ON0LID HA5OKQ JH7LNN IK1ARI JA4CYZ JA4AQC IK0FGL I0NI JA1AQC IT7RYH I5IRE
> > I0QMN
> >
> > 213.251.189.204 (France)
> > RD9FD-10 F5UOE-10 F0FIG-10 F6EDO-10 OK2HB-10 LZ1FI-10 UW3QBB-10 F5IEP-10
> > DK2AI-10 G0API-10 N9SB-10 HA6IAM-10 F5RVI-10 F6KUP-10 F5XX-10 F6CXJ-10
> > F1HDY-10 9A3ARN-10 ON8VP-10 F8GGV-10 F6INI-10 PD2BA-10 WA6HZY-10
> > IZ5OVP-10 N6VNO-10 KI7VR-10 GM3UAG-10 F6FRR-10 F5NTV-10 4Z5KO-10
> > KP4DE-10 RV9DC-10 F2YV-10 DL5DF-10 F8NUH-10 VE2TKH-10 F6BBO-10 DL3HXX-10
> > UR2VA-10 OK1FHI-10 DK5AI-10 ST0R-10 F4ABC-10 YT1KC-10 ON6MM-10 SP3EA-10
> > KA5CJJ-10 HA0KLU-10 F4FRG-10 HA8MT-10 K0MGA-10 DO1JWZ-10 G4BAO-10
> > DJ5DN-10 F5NYZ-10 IK5VLR-10 7X2RO-10 F8GFA-10 DM5BB-10 ON8BB-10 F6FNG-10
> > RK9JWV-10 DK2CF-10 LU2AJW-10 SM0BRF-10 UT7IA-10 F6EIK-10 OK2QX-10
> > OE9MON-10 LZ5R-10 F5VLY-10 SQ1DWR-10 E73LM-10 LU8IEZ-10 IW7DEB-10
> > OK1HB-10 OM7TJ-10 VE3TY-10 PU2YEN-10 VA2RSM-10 F5NAK-10 WA6A-10
> > SP1JPQ-10 DO8WA-10 M0YMJ-10 OK1AD-10 II2Z-10 F9YR-10 F4FEP-10 ZL2CQ-10
> > F8CHM-10 F5JNE-10 YU2V-10 IZ8CKT-10 F4FDA-10 OM3ZAS-10 PY4WAS-10 YL1S-10
> > F3CW-10 RW1AI-10 OK1IO-10 DF3EH-10 YR8B-10 F4CVH-10 G4GVB-10 YL2PP-10
> > IZ0ABQ-10 F0GHK-10 F4ULC-10 F5TYQ-10 F8FAZ-10 UX0LC-10 F4FIU-10
> >
> > 151.45.45.163 (Italy)
> > RU3ER DL1WED UX2IT K5DFG EA4DFG KD0KJ K2WE W5DF K4DF N7FG RZ6GHJ UA4CJT
> > K6JGH K5VB K3VML K8BN N7DJH K2SD K1ASD IZ7FLP
> >
> > 146.48.126.27 (Italy)
> > IR5PWJ-6 PC5C OE4MDA K1ZM PA2V IK5ZAF PA3CNO LX1CN W0QQ IK5SQS OE6POD OE3BOA
> > OE4JHW OK1KF DO2XX IZ8EBI OE5GWP K6HJM KF8CE PA3HDM DG4FR SP7TOB
> >
> > 78.111.176.114 (Ukraine)
> > PA3DER YO3CC PA4FER SM3ERW UX4FC F3TCA RN9ST YO3CD UR5FD YO3KC YO4MM YO9SW
> > YO8KDD UA0LCC
> >
> >
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at dxcluster.org
> > http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at dxcluster.org
> > http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
> 
> 
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at dxcluster.org
> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support

-- 
73
Brendan EI6IZ

More information about the Dxspider-support mailing list