[Dxspider-support] Further analysis of fake spots

Rene Olsen rene at rcolsen.dk
Wed Feb 26 17:33:52 GMT 2025 

Hi.

Just a thought. and I have no way of testing it in a controlled environment.

What happens if this is done.

Someone installs DX-Spider (whatever version but probably an older one, that still supports 
PC92 etc.), and set some random node as spider neigbour. In this example lets say they use 
DO5BBS-2 as their own node call.

They simply do set/spider <nodecall> and create a connect script to that node.

Then they connect a node, and presents itself as DO5BBS-2. Now, what will the other node 
do? I am aware that the other node doesn't know DO5BBS-2 as a spider node, but I think that 
they may still start to talk PC92 eventhough they are not 100% initialized.

Now I make tones of false spots as a user on DO5BBS-2. Might they actually be sent on to 
the node I just tried to link to, and then passed on to the network?

I am not able to test this, but in the past I have seen random nodes just trying to connect to 
my node, and even though I have not done a set/spider for the node, some traffic does happen 
between us. I am just not sure how much.

I am aware that if the node I try to link to is running the most recent version, and has password 
enabled, then the above is not possible. But there are plenty of nodes that doesn't run the 
newest version (or even a recent version) and doesn't require password to login.

Just a thought. Probably a wild shot.

Vy 73 de Rene / OZ1LQH


On 26 Feb 2025 at 10:04, Christopher Schlegel via Dxsp wrote:

> Also noticed this in my logs...
> 
> Gregor and I are not node partners. He is not listed as a user anywhere in
> the logs that I can see, or using Kin's scripts. I have quite a few dropped
> spots in the log from DO5SSB-2.
> 
> 057.dat:1740541297^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740541671^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740542595^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740544669^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740545171^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740546036^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 057.dat:1740581025^(chan) -> D WI3W  985 DO5SSB-2  82.149.227.228/57768
> E  telnet Incoming ExtMsg
> 
> Is it possible someone is abusing the "PC" command and forging spots that
> way?
> 
> Chris, WI3W
> 
> 
> 
> On Wed, Feb 26, 2025, 07:35 Kirill Ryabov via Dxspider-support <
> dxspider-support at tobit.co.uk> wrote:
> 
> > Here are more and it looks like these IPs are real and from the
> > countries of the spotter. But spotters not on DO5SSB-2 node.
> >
> >
> > 26Feb2025 at 10:52:15 (*) PCPROT: Bad Spot 3Z100IARU on 18125.0 by
> > G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED via
> > RW3XA-8 27 hops
> > 26Feb2025 at 11:07:02 (*) PCPROT: Bad Spot R9YDC on 28448.0 by
> > IW3INO(158.47.242.148)@DO5SSB-2 User IW3INO not on node DO5SSB-2, DUMPED
> > via N2WQ-1 26 hops
> > 26Feb2025 at 11:12:56 (*) PCPROT: Bad Spot CT9/DK7YY on 24940.0 by
> > HB9CVE(46.127.144.149)@DO5SSB-2 User HB9CVE not on nodeDO5SSB-2, DUMPED
> > via RW3XA-8 25 hops
> > 26Feb2025 at 11:13:34 (*) PCPROT: Bad Spot VK9XU on 10133.0 by
> > RO9O(212.15.62.218)@DO5SSB-2 User RO9O not on node DO5SSB-2, DUMPED via
> > RW3XA-8 25 hops
> > 26Feb2025 at 11:20:20 (*) PCPROT: Bad Spot GI0CWV on 28485.0 by
> > 9A6BMT(109.60.70.233)@DO5SSB-2 User 9A6BMT not on node DO5SSB-2, DUMPED
> > via RW3XA-8 27 hops
> > 26Feb2025 at 11:31:40 (*) PCPROT: Bad Spot DD1HV on 18135.0 by
> > G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED via
> > RW3XA-8 25 hops
> > 26Feb2025 at 11:41:57 (*) PCPROT: Bad Spot VK9XU on 14210.0 by
> > JH0OQZ(14.8.114.96)@DO5SSB-2 User JH0OQZ not on node DO5SSB-2, DUMPED
> > via SV5FRI-1 27 hops
> > 26Feb2025 at 11:59:28 (*) PCPROT: Bad Spot G7NUT on 14074.6 by
> > F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, DUMPED
> > via RW3XA-8 27 hops
> > 26Feb2025 at 11:59:55 (*) PCPROT: Bad Spot NK9NLD on 28475.0 by
> > HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, DUMPED
> > via RW3XA-8 25 hops
> > 26Feb2025 at 12:10:59 (*) PCPROT: Bad Spot M7GJO on 14076.0 by
> > F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, DUMPED
> > via RW3XA-8 25 hops
> > 26Feb2025 at 12:11:32 (*) PCPROT: Bad Spot GM3RIC on 18135.0 by
> > IZ1HHT(213.45.237.111)@DO5SSB-2 User IZ1HHT not on node DO5SSB-2, DUMPED
> > via RW3XA-8 26 hops
> > 26Feb2025 at 12:13:40 (*) PCPROT: Bad Spot EA4HPY on 28514.0 by
> > HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, DUMPED
> > via RW3XA-8 25
> >
> >
> > Kirill
> > R5ACQ
> >
> > 25.02.2025 20:44, Gregor Surmann via Dxspider-support :
> > > Hello guys!
> > >
> > > I have found some interesting stuff. I was seeking for the
> > > information, if my SSID/Call was forged. Yes, it was:
> > >
> > > sysop at dxspider:~$ grepdbg "bad spot" | grep -i do5ssb
> > > 21Feb2025 at 13:03:32 (*) PCPROT: Bad Spot HF95PZK on 21074.0 by
> > > SP2MKI(150.102.129.109)@DO5SSB-2 User SP2MKI not on node DO5SSB-2 via
> > > F3KT-3 25 hops
> > >
> > > sysop at dxspider:~$ grepdbg HF95PZK | grep -i SP2MKI
> > > 21Feb2025 at 05:53:38 (*) PCPROT: Bad Spot HF95PZK on 3573.0 by
> > > SP2MKI(81.89.113.246)@JG1VGX-8 User SP2MKI not on node JG1VGX-8 via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 05:53:38 (progress) SPOT: HF95PZK on 3573.0 @ 0553Z by
> > > SP2MKI(81.89.113.246)@JG1VGX-8 '95th PZK - 100th IARU FT8' route:
> > > ON4KST-2
> > > 21Feb2025 at 06:47:40 (*) PCPROT: Bad Spot HF95PZK on 7074.0 by
> > > SP2MKI(145.89.214.218)@ON4KST-2 User SP2MKI not on node ON4KST-2 via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 06:47:40 (progress) SPOT: HF95PZK on 7074.0 @ 0647Z by
> > > SP2MKI(145.89.214.218)@ON4KST-2 'ft8 95th PZK - 100th IARU' route:
> > > ON4KST-2
> > > 21Feb2025 at 08:48:22 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > > SP2MKI(54.225.51.18)@EA4FIT-2 User SP2MKI not on node EA4FIT-2 via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 08:48:22 (progress) SPOT: HF95PZK on 7047.0 @ 0848Z by
> > > SP2MKI(54.225.51.18)@EA4FIT-2 '95th PZK - 100th IARU FT4' route: ON4KST-2
> > > 21Feb2025 at 09:10:13 (*) PCPROT: Bad Spot HF95PZK on 14080.0 by
> > > SP2MKI(36.134.227.136)@IV3SCP-6 User SP2MKI not on node IV3SCP-6 via
> > > F6KVP-3 26 hops
> > > [...more...spots...]
> > > 21Feb2025 at 22:44:41 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > > SP2MKI(59.181.166.39)@SM7IUN-3 User SP2MKI not on node SM7IUN-3 via
> > > ON4KST-2 28 hops
> > >
> > > sysop at dxspider:~$ grepdbg 150.102.129.109
> > > sysop at dxspider:~$
> > >
> > > So, there was never a user with the IP 150.102.129.109 here, but the
> > > spot originated at DO5SSB-2, strange.
> > >
> > > This means, that someone is injecting packets at some point in the
> > > network, without being on the node itself, not before, not while and
> > > not after the spot.
> > >
> > > Or, maybe the famous VE7CC-1 is doing nasty stuff?
> > >
> > > All of the IPs do exist in the global BGP routing, many of them are in
> > > AWS or other data centers.
> > >
> > > But probably none of the IPs are from the countries the callsign is in.
> > >
> > > So, either someone is using the clusters and faking spots, or someone
> > > is injecting PC messages somewhere.
> > >
> > > 73 de Gregor, DO5SSB
> > >
> > > _______________________________________________
> > > Dxspider-support mailing list
> > > Dxspider-support at tobit.co.uk
> > > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at tobit.co.uk
> > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
>

More information about the Dxspider-support mailing list