[Dxspider-support] Further analysis of fake spots

Christopher Schlegel sutehk.cs at gmail.com
Wed Feb 26 15:04:32 GMT 2025 

Also noticed this in my logs...

Gregor and I are not node partners. He is not listed as a user anywhere in
the logs that I can see, or using Kin's scripts. I have quite a few dropped
spots in the log from DO5SSB-2.

057.dat:1740541297^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740541671^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740542595^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740544669^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740545171^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740546036^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg
057.dat:1740581025^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
E  telnet Incoming ExtMsg

Is it possible someone is abusing the "PC" command and forging spots that
way?

Chris, WI3W



On Wed, Feb 26, 2025, 07:35 Kirill Ryabov via Dxspider-support <
dxspider-support at tobit.co.uk> wrote:

> Here are more and it looks like these IPs are real and from the
> countries of the spotter. But spotters not on DO5SSB-2 node.
>
>
> 26Feb2025 at 10:52:15 (*) PCPROT: Bad Spot 3Z100IARU on 18125.0 by
> G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED via
> RW3XA-8 27 hops
> 26Feb2025 at 11:07:02 (*) PCPROT: Bad Spot R9YDC on 28448.0 by
> IW3INO(158.47.242.148)@DO5SSB-2 User IW3INO not on node DO5SSB-2, DUMPED
> via N2WQ-1 26 hops
> 26Feb2025 at 11:12:56 (*) PCPROT: Bad Spot CT9/DK7YY on 24940.0 by
> HB9CVE(46.127.144.149)@DO5SSB-2 User HB9CVE not on nodeDO5SSB-2, DUMPED
> via RW3XA-8 25 hops
> 26Feb2025 at 11:13:34 (*) PCPROT: Bad Spot VK9XU on 10133.0 by
> RO9O(212.15.62.218)@DO5SSB-2 User RO9O not on node DO5SSB-2, DUMPED via
> RW3XA-8 25 hops
> 26Feb2025 at 11:20:20 (*) PCPROT: Bad Spot GI0CWV on 28485.0 by
> 9A6BMT(109.60.70.233)@DO5SSB-2 User 9A6BMT not on node DO5SSB-2, DUMPED
> via RW3XA-8 27 hops
> 26Feb2025 at 11:31:40 (*) PCPROT: Bad Spot DD1HV on 18135.0 by
> G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED via
> RW3XA-8 25 hops
> 26Feb2025 at 11:41:57 (*) PCPROT: Bad Spot VK9XU on 14210.0 by
> JH0OQZ(14.8.114.96)@DO5SSB-2 User JH0OQZ not on node DO5SSB-2, DUMPED
> via SV5FRI-1 27 hops
> 26Feb2025 at 11:59:28 (*) PCPROT: Bad Spot G7NUT on 14074.6 by
> F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, DUMPED
> via RW3XA-8 27 hops
> 26Feb2025 at 11:59:55 (*) PCPROT: Bad Spot NK9NLD on 28475.0 by
> HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, DUMPED
> via RW3XA-8 25 hops
> 26Feb2025 at 12:10:59 (*) PCPROT: Bad Spot M7GJO on 14076.0 by
> F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, DUMPED
> via RW3XA-8 25 hops
> 26Feb2025 at 12:11:32 (*) PCPROT: Bad Spot GM3RIC on 18135.0 by
> IZ1HHT(213.45.237.111)@DO5SSB-2 User IZ1HHT not on node DO5SSB-2, DUMPED
> via RW3XA-8 26 hops
> 26Feb2025 at 12:13:40 (*) PCPROT: Bad Spot EA4HPY on 28514.0 by
> HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, DUMPED
> via RW3XA-8 25
>
>
> Kirill
> R5ACQ
>
> 25.02.2025 20:44, Gregor Surmann via Dxspider-support пишет:
> > Hello guys!
> >
> > I have found some interesting stuff. I was seeking for the
> > information, if my SSID/Call was forged. Yes, it was:
> >
> > sysop at dxspider:~$ grepdbg "bad spot" | grep -i do5ssb
> > 21Feb2025 at 13:03:32 (*) PCPROT: Bad Spot HF95PZK on 21074.0 by
> > SP2MKI(150.102.129.109)@DO5SSB-2 User SP2MKI not on node DO5SSB-2 via
> > F3KT-3 25 hops
> >
> > sysop at dxspider:~$ grepdbg HF95PZK | grep -i SP2MKI
> > 21Feb2025 at 05:53:38 (*) PCPROT: Bad Spot HF95PZK on 3573.0 by
> > SP2MKI(81.89.113.246)@JG1VGX-8 User SP2MKI not on node JG1VGX-8 via
> > ON4KST-2 28 hops
> > 21Feb2025 at 05:53:38 (progress) SPOT: HF95PZK on 3573.0 @ 0553Z by
> > SP2MKI(81.89.113.246)@JG1VGX-8 '95th PZK - 100th IARU FT8' route:
> > ON4KST-2
> > 21Feb2025 at 06:47:40 (*) PCPROT: Bad Spot HF95PZK on 7074.0 by
> > SP2MKI(145.89.214.218)@ON4KST-2 User SP2MKI not on node ON4KST-2 via
> > ON4KST-2 28 hops
> > 21Feb2025 at 06:47:40 (progress) SPOT: HF95PZK on 7074.0 @ 0647Z by
> > SP2MKI(145.89.214.218)@ON4KST-2 'ft8 95th PZK - 100th IARU' route:
> > ON4KST-2
> > 21Feb2025 at 08:48:22 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > SP2MKI(54.225.51.18)@EA4FIT-2 User SP2MKI not on node EA4FIT-2 via
> > ON4KST-2 28 hops
> > 21Feb2025 at 08:48:22 (progress) SPOT: HF95PZK on 7047.0 @ 0848Z by
> > SP2MKI(54.225.51.18)@EA4FIT-2 '95th PZK - 100th IARU FT4' route: ON4KST-2
> > 21Feb2025 at 09:10:13 (*) PCPROT: Bad Spot HF95PZK on 14080.0 by
> > SP2MKI(36.134.227.136)@IV3SCP-6 User SP2MKI not on node IV3SCP-6 via
> > F6KVP-3 26 hops
> > [...more...spots...]
> > 21Feb2025 at 22:44:41 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > SP2MKI(59.181.166.39)@SM7IUN-3 User SP2MKI not on node SM7IUN-3 via
> > ON4KST-2 28 hops
> >
> > sysop at dxspider:~$ grepdbg 150.102.129.109
> > sysop at dxspider:~$
> >
> > So, there was never a user with the IP 150.102.129.109 here, but the
> > spot originated at DO5SSB-2, strange.
> >
> > This means, that someone is injecting packets at some point in the
> > network, without being on the node itself, not before, not while and
> > not after the spot.
> >
> > Or, maybe the famous VE7CC-1 is doing nasty stuff?
> >
> > All of the IPs do exist in the global BGP routing, many of them are in
> > AWS or other data centers.
> >
> > But probably none of the IPs are from the countries the callsign is in.
> >
> > So, either someone is using the clusters and faking spots, or someone
> > is injecting PC messages somewhere.
> >
> > 73 de Gregor, DO5SSB
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at tobit.co.uk
> > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250226/a989c17d/attachment.htm>

More information about the Dxspider-support mailing list