[Dxspider-support] Chasing Down Spot Pirate?
Dirk Koopman
djk at tobit.co.uk
Tue Nov 2 23:52:11 GMT 2021
It appears that someone took it upon themselves to disrupt the DXCluster
network over the contest weekend. But it was nothing to do with Larry
or, indeed, anyone else that might appear, at first glance, to have done
this..
Essentially someone seems to have written a bot which connects to a
node, listens for spots, then connects to one or more nodes (WA9PIE-2
was one of them, there are clearly many others) and, after a short
pause, logs onto the victim node as the spotted callsign, replays the
original spot but now as though they have spotted themselves.
The bot (as I am pretty sure this is) was running during the entire
contest. It was located at IP address 217.61.58.23 probably in a docker
image or some such. This IP address reverse lookups to a server in
Aruba.net's cloud. The hostname
(host23-58-61-217.serverdedicati.aruba.it) suggests that it is a
dedicated server, so it may be possible to trace the "owner" at the
time, hence I am copying the ISP in (Aruba: see later on for an
explanation).
Anyway, this is the sort of interaction that one of these spots takes:
31Oct2021 at 23:19:02 (*) N5AW connected from 217.61.58.23
31Oct2021 at 23:19:02 (progress) CMD: 'show/cluster ' by N5AW ip:
217.61.58.23 0mS
31Oct2021 at 23:19:02 (progress) CMD: 'DX N5AW 21229.7' by N5AW ip:
217.61.58.23 44mS
31Oct2021 at 23:19:02 (progress) CMD: 'bye ' by N5AW ip: 217.61.58.23 8mS
This happens to come from WA9PIE-2, but the bot connects to several
other nodes, yielding more spots:
31Oct2021 at 23:19:06 (progress) SPOT: EA3QP on 7173.5 @ 2319Z by
EA3QP(217.61.58.23)@N6WS-6 '' route: N7OD
31Oct2021 at 23:19:16 (progress) SPOT: VA3MW on 7215.1 @ 2319Z by
VA3MW(217.61.58.23)@ED3ZAK-5 '' route: EA4RCH-5
31Oct2021 at 23:19:21 (progress) SPOT: VO2NS on 14173.2 @ 2319Z by
VO2NS(217.61.58.23)@IK2XDE-6 '' route: AE5E
31Oct2021 at 23:19:23 (progress) SPOT: K3EST on 21343.9 @ 2319Z by
K3EST(217.61.58.23)@ED3ZAK-5 '' route: EA4RCH-5
31Oct2021 at 23:19:37 (progress) SPOT: KL7RA on 14337.9 @ 2319Z by
KL7RA(217.61.58.23)@VE9SC '' route: VE9SC
31Oct2021 at 23:19:41 (progress) SPOT: CE6CGX on 21317.7 @ 2319Z by
CE6CGX(217.61.58.23)@DB0ERF-5 '' route: GB7DJK
31Oct2021 at 23:19:52 (progress) SPOT: ED1R on 3786.4 @ 2319Z by
ED1R(217.61.58.23)@ON4KST-2 '' route: MX0NCA-2
31Oct2021 at 23:19:54 (progress) SPOT: HB9H on 7174.3 @ 2319Z by
HB9H(217.61.58.23)@EA4URE-5 '' route: PI4CC
31Oct2021 at 23:19:57 (progress) SPOT: SE0X on 1832.0 @ 2319Z by
SE0X(217.61.58.23)@EA4URE-3 '' route: PI4CC
31Oct2021 at 23:20:08 (progress) SPOT: EW5A on 3761.0 @ 2320Z by
EW5A(217.61.58.23)@DB0ERF-5 '' route: MX0NCA-2
31Oct2021 at 23:20:13 (progress) SPOT: LZ9W on 3790.0 @ 2320Z by
LZ9W(217.61.58.23)@UN1HQ-8 '' route: PI4CC
31Oct2021 at 23:20:29 (progress) SPOT: VE4VT on 14253.4 @ 2320Z by
VE4VT(217.61.58.23)@ON4KST-2 '' route: GB7DJK
There were 864 of these on Saturday and 1935 on Sunday (either
originating at WA9PIE-2 or passing through). There are almost certainly
(many?) more than this because there are many older nodes that don't
pass on IP address information.
*For Aruba.net*:
What is a DX Cluster?:
https://www.amateur-radio-wiki.net/what-is-a-dx-cluster/ and
https://carcbradios.com/what-is-a-dx-cluster/
CQWW?: https://www.cqww.com/index.htm
Ham Radio?: https://en.wikipedia.org/wiki/Amateur_radio
To explain why this is a problem: This is a contest where one amateur
radio station contacts another somewhere in the world. A short message
is exchanged and logged. Each station has a callsign. The winner(s)
(there are several classes) are (very basically) the stations that have
the most contacts, on the most amateur radio bands, in the most "zones".
Many non-contesting stations use the opportunity of contests like this
to "work" a rare station and "spot" that station as being active at a
specific time and frequency over the cluster network. Active contestants
/can/ (but rarely do) "spot" _*another*_ station (different callsign).
Spotting yourself (_*same*_ callsign) means instant disqualification.
The person responsible for this, has actively tried to disrupt this
highlight of the contesting calendar, by issuing fake "self-spots". This
will now require days of analysis and adjudication by the contest
committee that will have enough work already trying to verify and cross
check 35,000 contest logs. Logs from the DXCluster network can normally
be used to aid this process. Probably not so much this year...
Please would you find out who is responsible for this.
Regards
Dirk Koopman G1TLH
Author, DXSpider cluster software.
On 02/11/2021 20:52, Larry Strasser wrote:
>
>
> On Mon, Nov 1, 2021, 10:01 PM Marty Sullaway <marty.sullaway at gmail.com
> <mailto:marty.sullaway at gmail.com>> wrote:
>
> Hi Larry,
>
> I hope you're doing well. My name is Marty Sullaway NN1C, and I
> was one of the operators at ZF1A this weekend in the CQ WW SSB
> contest.
>
> We found out this weekend that someone was fictitiously using our
> callsign to self-spot ZF1A, claiming to be ZF1A, except they were
> not. In looking through Gerry/W1VE's cluster logs, I found that he
> got the fictitious spots from your DXSpider node. I am reaching
> out to see if you would be kind enough to pass along your cluster
> log from this weekend or let me know what node these spots
> originated from. The three in question are listed below.
>
> INFO 2021-10-31 18:04:30 DxSpotTelnet Exec -
> [0.00813] K2LS->DX de ZF1A: 28347.1 ZF1A
> 1804Z
>
> INFO 2021-10-31 18:52:17 DxSpotTelnet Exec
> - [0.00457] K2LS->DX de ZF1A: 21250.8 ZF1A 1852Z
>
> INFO 2021-10-31 22:49:08 DxSpotTelnet Exec
> - [0.00610] K2LS->DX de ZF1A: 14297.4 ZF1A 2249Z
>
> Thank you so much in advance,
>
> Marty Sullaway
> NN1C
> NN1C
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20211102/f2a873b5/attachment.htm>
More information about the Dxspider-support
mailing list