[Dxspider-support] Further analysis of fake spots

Gregor Surmann gs at funil.de
Tue Feb 25 17:44:49 GMT 2025 

Hello guys!

I have found some interesting stuff. I was seeking for the information, if 
my SSID/Call was forged. Yes, it was:

sysop at dxspider:~$ grepdbg "bad spot" | grep -i do5ssb
21Feb2025 at 13:03:32 (*) PCPROT: Bad Spot HF95PZK on 21074.0 by 
SP2MKI(150.102.129.109)@DO5SSB-2 User SP2MKI not on node DO5SSB-2 via F3KT-3 
25 hops

sysop at dxspider:~$ grepdbg HF95PZK | grep -i SP2MKI
21Feb2025 at 05:53:38 (*) PCPROT: Bad Spot HF95PZK on 3573.0 by 
SP2MKI(81.89.113.246)@JG1VGX-8 User SP2MKI not on node JG1VGX-8 via ON4KST-2 
28 hops
21Feb2025 at 05:53:38 (progress) SPOT: HF95PZK on 3573.0 @ 0553Z by 
SP2MKI(81.89.113.246)@JG1VGX-8 '95th PZK - 100th IARU FT8' route: ON4KST-2
21Feb2025 at 06:47:40 (*) PCPROT: Bad Spot HF95PZK on 7074.0 by 
SP2MKI(145.89.214.218)@ON4KST-2 User SP2MKI not on node ON4KST-2 via 
ON4KST-2 28 hops
21Feb2025 at 06:47:40 (progress) SPOT: HF95PZK on 7074.0 @ 0647Z by 
SP2MKI(145.89.214.218)@ON4KST-2 'ft8 95th PZK - 100th IARU' route: ON4KST-2
21Feb2025 at 08:48:22 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by 
SP2MKI(54.225.51.18)@EA4FIT-2 User SP2MKI not on node EA4FIT-2 via ON4KST-2 
28 hops
21Feb2025 at 08:48:22 (progress) SPOT: HF95PZK on 7047.0 @ 0848Z by 
SP2MKI(54.225.51.18)@EA4FIT-2 '95th PZK - 100th IARU FT4' route: ON4KST-2
21Feb2025 at 09:10:13 (*) PCPROT: Bad Spot HF95PZK on 14080.0 by 
SP2MKI(36.134.227.136)@IV3SCP-6 User SP2MKI not on node IV3SCP-6 via F6KVP-3 
26 hops
[...more...spots...]
21Feb2025 at 22:44:41 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by 
SP2MKI(59.181.166.39)@SM7IUN-3 User SP2MKI not on node SM7IUN-3 via ON4KST-2 
28 hops

sysop at dxspider:~$ grepdbg 150.102.129.109
sysop at dxspider:~$

So, there was never a user with the IP 150.102.129.109 here, but the spot 
originated at DO5SSB-2, strange.

This means, that someone is injecting packets at some point in the network, 
without being on the node itself, not before, not while and not after the spot.

Or, maybe the famous VE7CC-1 is doing nasty stuff?

All of the IPs do exist in the global BGP routing, many of them are in AWS 
or other data centers.

But probably none of the IPs are from the countries the callsign is in.

So, either someone is using the clusters and faking spots, or someone is 
injecting PC messages somewhere.

73 de Gregor, DO5SSB

More information about the Dxspider-support mailing list