[Dxspider-support] fraud detection

Márkus Béla ha5di at freemail.hu
Sun Dec 11 22:25:45 GMT 2011 

Brendan,

-10 addresses are intersting. All stations connected to F5LEN-7 via WEB 
interface, see his home page: http://cluster.f5len.org/info.htm

Regarding mobile NAT it may happen due to limited availability of ip4 addresses and not using ipv6. However I can't imagine a case when both

PA3DER YO3CC PA4FER SM3ERW UX4FC F3TCA RN9ST YO3CD UR5FD YO3KC YO4MM YO9SW YO8KDD UA0LCC

are connected to the same mobile operator and spotting sharing the same single IP address. Its probability is rather low :)

When stations from common IP logging into same node, it must be a WEB interface, not a fraud. It's OK.

No see the following:

93.99.200.207
1322265522^DXProt^PC92A RA9WFG ->  93.99.200.207 on S50DXS
1322295501^DXProt^PC92A RA9HJK ->  93.99.200.207 on S50DXS
1322305021^DXProt^PC92A K4RFJ ->  93.99.200.207 on S50CLX
1322308922^DXProt^PC92A K4JKI ->  93.99.200.207 on S50CLX
1322318526^DXProt^PC92A N8IKL ->  93.99.200.207 on S50DXS
1322342108^DXProt^PC92A JA3EDF ->  93.99.200.207 on F5LEN-7

2.50.196.236
1320119909^DXProt^PC92A A65XX ->  2.50.196.236 on GB7RAU
1320124177^DXProt^PC92A RV6AJJ ->  2.50.196.236 on RW3XA-8
1320294186^DXProt^PC92A A65CA ->  2.50.196.236 on S50CLX



It is fraud.


Regards... Béla




2011.12.11. 22:35 keltezéssel, Brendan Minish írta:
> On Sun, 2011-12-11 at 22:04 +0100, Márkus Béla wrote:
>> Jim,
>>
>> I don't think so. I do not aware any case when Ip address is changed in
>> the public network. Maybe I'm wrong.
>>
>> Béla
>>
> Hi Béla
>
> I don't think this applies here..
> But some of the 3G networks do carrier grade NAT now here in EI (&
> probably other parts of europe) at least for customers with smart
> phones, In this case you might see several users with the same IP
>
> I am most curious about the IP in France (213.251.189.204
> ) that originated so many calls all with -10
> Might that be software doing something strange?
>
> This netblock appears to be allocated to infrastructure servers of a
> hosting company so it may be related to shared hosted web service of
> some kind?
>
>
> [bminish at redbox ~]$ whois 213.251.189.204
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % Seehttp://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> %       To receive output for a database update, use the "-B" flag.
>
> % Information related to '213.251.189.0 - 213.251.189.255'
>
> inetnum:        213.251.189.0 - 213.251.189.255
> netname:        OVH
> descr:          OVH SAS
> descr:          Infrastructure servers
> descr:http://www.ovh.com
> country:        FR
> admin-c:        OK217-RIPE
> tech-c:         OTC2-RIPE
> status:         ASSIGNED PA
> remarks:        INFRA-AW
> mnt-by:         OVH-MNT
> source:         RIPE # Filtered
>
> role:           OVH Technical Contact
> address:        OVH SAS
> address:        2 rue Kellermann
> address:        59100 Roubaix
> address:        France
> admin-c:        OK217-RIPE
> tech-c:         GM84-RIPE
> nic-hdl:        OTC2-RIPE
> abuse-mailbox:abuse at ovh.net
> mnt-by:         OVH-MNT
> source:         RIPE # Filtered
>
> person:         Octave Klaba
> address:        OVH SAS
> address:        2 rue Kellermann
> address:        59100 Roubaix
> address:        France
> phone:          +33 9 74 53 13 23
> nic-hdl:        OK217-RIPE
> abuse-mailbox:abuse at ovh.net
> mnt-by:         OVH-MNT
> source:         RIPE # Filtered
>
> % Information related to '213.251.128.0/18AS16276'
>
> route:        213.251.128.0/18
> descr:        OVH ISP
> descr:        Paris, France
> origin:       AS16276
> mnt-by:       OVH-MNT
> source:       RIPE # Filtered
>
>
>
>
>
>
>
>
>
>> 2011.12.11. 18:23 keltezéssel, Jim Bayer írta:
>>> I'm wondering if there is ISP address munging here.  Perhaps many public
>>> addresses are aggregated at the border of an ISP (not country) and it makes
>>> it look like all the requests are coming from the same address.  Like a PAT
>>> address (Public Address Translation) on a grander scale.
>>>
>>> Just a thought...
>>>
>>>
>>> '73
>>> Jim  - KC9AOP
>>>
>>> -----Original Message-----
>>> From:dxspider-support-bounces at dxcluster.org
>>> [mailto:dxspider-support-bounces at dxcluster.org] On Behalf Of Márkus Béla
>>> Sent: Sunday, December 11, 2011 10:01 AM
>>> To: The DXSpider Support list
>>> Subject: [Dxspider-support] fraud detection
>>>
>>> Thinking on fraud detection tool made some analysis on November data. It is
>>> interesting to see that in huge number same IP used by different calls.
>>> Usually difference is only SSID. There are club stations sharing
>>> infrastructure, or a team is spending vacation abroad e.g. in EA8 or there
>>> is a typo in call. But there are really interesting cases, few of them
>>> (originating IP and calls used to login).
>>>
>>> Regards... Béla, HA5DI
>>>
>>>
>>> 84.194.52.107 (Belgium)
>>> OT4A IK1JUO DF1BO IT9RYH I0ARI IK9SKY I4RER IZ1KDO CI0RCUS JA3ERT G6YUI
>>> ON0LID HA5OKQ JH7LNN IK1ARI JA4CYZ JA4AQC IK0FGL I0NI JA1AQC IT7RYH I5IRE
>>> I0QMN
>>>
>>> 213.251.189.204 (France)
>>> RD9FD-10 F5UOE-10 F0FIG-10 F6EDO-10 OK2HB-10 LZ1FI-10 UW3QBB-10 F5IEP-10
>>> DK2AI-10 G0API-10 N9SB-10 HA6IAM-10 F5RVI-10 F6KUP-10 F5XX-10 F6CXJ-10
>>> F1HDY-10 9A3ARN-10 ON8VP-10 F8GGV-10 F6INI-10 PD2BA-10 WA6HZY-10
>>> IZ5OVP-10 N6VNO-10 KI7VR-10 GM3UAG-10 F6FRR-10 F5NTV-10 4Z5KO-10
>>> KP4DE-10 RV9DC-10 F2YV-10 DL5DF-10 F8NUH-10 VE2TKH-10 F6BBO-10 DL3HXX-10
>>> UR2VA-10 OK1FHI-10 DK5AI-10 ST0R-10 F4ABC-10 YT1KC-10 ON6MM-10 SP3EA-10
>>> KA5CJJ-10 HA0KLU-10 F4FRG-10 HA8MT-10 K0MGA-10 DO1JWZ-10 G4BAO-10
>>> DJ5DN-10 F5NYZ-10 IK5VLR-10 7X2RO-10 F8GFA-10 DM5BB-10 ON8BB-10 F6FNG-10
>>> RK9JWV-10 DK2CF-10 LU2AJW-10 SM0BRF-10 UT7IA-10 F6EIK-10 OK2QX-10
>>> OE9MON-10 LZ5R-10 F5VLY-10 SQ1DWR-10 E73LM-10 LU8IEZ-10 IW7DEB-10
>>> OK1HB-10 OM7TJ-10 VE3TY-10 PU2YEN-10 VA2RSM-10 F5NAK-10 WA6A-10
>>> SP1JPQ-10 DO8WA-10 M0YMJ-10 OK1AD-10 II2Z-10 F9YR-10 F4FEP-10 ZL2CQ-10
>>> F8CHM-10 F5JNE-10 YU2V-10 IZ8CKT-10 F4FDA-10 OM3ZAS-10 PY4WAS-10 YL1S-10
>>> F3CW-10 RW1AI-10 OK1IO-10 DF3EH-10 YR8B-10 F4CVH-10 G4GVB-10 YL2PP-10
>>> IZ0ABQ-10 F0GHK-10 F4ULC-10 F5TYQ-10 F8FAZ-10 UX0LC-10 F4FIU-10
>>>
>>> 151.45.45.163 (Italy)
>>> RU3ER DL1WED UX2IT K5DFG EA4DFG KD0KJ K2WE W5DF K4DF N7FG RZ6GHJ UA4CJT
>>> K6JGH K5VB K3VML K8BN N7DJH K2SD K1ASD IZ7FLP
>>>
>>> 146.48.126.27 (Italy)
>>> IR5PWJ-6 PC5C OE4MDA K1ZM PA2V IK5ZAF PA3CNO LX1CN W0QQ IK5SQS OE6POD OE3BOA
>>> OE4JHW OK1KF DO2XX IZ8EBI OE5GWP K6HJM KF8CE PA3HDM DG4FR SP7TOB
>>>
>>> 78.111.176.114 (Ukraine)
>>> PA3DER YO3CC PA4FER SM3ERW UX4FC F3TCA RN9ST YO3CD UR5FD YO3KC YO4MM YO9SW
>>> YO8KDD UA0LCC
>>>
>>>
>>>
>>> _______________________________________________
>>> Dxspider-support mailing list
>>> Dxspider-support at dxcluster.org
>>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>>
>>>
>>> _______________________________________________
>>> Dxspider-support mailing list
>>> Dxspider-support at dxcluster.org
>>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>>
>> _______________________________________________
>> Dxspider-support mailing list
>> Dxspider-support at dxcluster.org
>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support

More information about the Dxspider-support mailing list