[Dxspider-support] Further analysis of fake spots

Kin ea3cv at cronux.net
Wed Feb 26 19:02:17 GMT 2025 

René,

The way you put it, you will only waste your time. Spots between these nodes
will not be progressed.

Kin


-----Mensaje original-----
De: Dxspider-support <dxspider-support-bounces at tobit.co.uk> En nombre de
Rene Olsen via Dxspider-support
Enviado el: miércoles, 26 de febrero de 2025 18:34
Para: The DXSpider Support list <dxspider-support at tobit.co.uk>
CC: Rene Olsen <rene at rcolsen.dk>
Asunto: Re: [Dxspider-support] Further analysis of fake spots

Hi.

Just a thought. and I have no way of testing it in a controlled environment.

What happens if this is done.

Someone installs DX-Spider (whatever version but probably an older one, that
still supports
PC92 etc.), and set some random node as spider neigbour. In this example
lets say they use
DO5BBS-2 as their own node call.

They simply do set/spider <nodecall> and create a connect script to that
node.

Then they connect a node, and presents itself as DO5BBS-2. Now, what will
the other node do? I am aware that the other node doesn't know DO5BBS-2 as a
spider node, but I think that they may still start to talk PC92 eventhough
they are not 100% initialized.

Now I make tones of false spots as a user on DO5BBS-2. Might they actually
be sent on to the node I just tried to link to, and then passed on to the
network?

I am not able to test this, but in the past I have seen random nodes just
trying to connect to my node, and even though I have not done a set/spider
for the node, some traffic does happen between us. I am just not sure how
much.

I am aware that if the node I try to link to is running the most recent
version, and has password enabled, then the above is not possible. But there
are plenty of nodes that doesn't run the newest version (or even a recent
version) and doesn't require password to login.

Just a thought. Probably a wild shot.

Vy 73 de Rene / OZ1LQH


On 26 Feb 2025 at 10:04, Christopher Schlegel via Dxsp wrote:

> Also noticed this in my logs...
> 
> Gregor and I are not node partners. He is not listed as a user 
> anywhere in the logs that I can see, or using Kin's scripts. I have 
> quite a few dropped spots in the log from DO5SSB-2.
> 
> 057.dat:1740541297^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740541671^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740542595^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740544669^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740545171^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740546036^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 057.dat:1740581025^(chan) -> D WI3W  985 DO5SSB-2  
> 82.149.227.228/57768 E  telnet Incoming ExtMsg
> 
> Is it possible someone is abusing the "PC" command and forging spots 
> that way?
> 
> Chris, WI3W
> 
> 
> 
> On Wed, Feb 26, 2025, 07:35 Kirill Ryabov via Dxspider-support < 
> dxspider-support at tobit.co.uk> wrote:
> 
> > Here are more and it looks like these IPs are real and from the 
> > countries of the spotter. But spotters not on DO5SSB-2 node.
> >
> >
> > 26Feb2025 at 10:52:15 (*) PCPROT: Bad Spot 3Z100IARU on 18125.0 by
> > G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED 
> > via
> > RW3XA-8 27 hops
> > 26Feb2025 at 11:07:02 (*) PCPROT: Bad Spot R9YDC on 28448.0 by
> > IW3INO(158.47.242.148)@DO5SSB-2 User IW3INO not on node DO5SSB-2, 
> > DUMPED via N2WQ-1 26 hops
> > 26Feb2025 at 11:12:56 (*) PCPROT: Bad Spot CT9/DK7YY on 24940.0 by
> > HB9CVE(46.127.144.149)@DO5SSB-2 User HB9CVE not on nodeDO5SSB-2, 
> > DUMPED via RW3XA-8 25 hops
> > 26Feb2025 at 11:13:34 (*) PCPROT: Bad Spot VK9XU on 10133.0 by
> > RO9O(212.15.62.218)@DO5SSB-2 User RO9O not on node DO5SSB-2, DUMPED 
> > via
> > RW3XA-8 25 hops
> > 26Feb2025 at 11:20:20 (*) PCPROT: Bad Spot GI0CWV on 28485.0 by
> > 9A6BMT(109.60.70.233)@DO5SSB-2 User 9A6BMT not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 27 hops
> > 26Feb2025 at 11:31:40 (*) PCPROT: Bad Spot DD1HV on 18135.0 by
> > G0DEF(86.18.176.21)@DO5SSB-2 User G0DEF not on node DO5SSB-2, DUMPED 
> > via
> > RW3XA-8 25 hops
> > 26Feb2025 at 11:41:57 (*) PCPROT: Bad Spot VK9XU on 14210.0 by
> > JH0OQZ(14.8.114.96)@DO5SSB-2 User JH0OQZ not on node DO5SSB-2, 
> > DUMPED via SV5FRI-1 27 hops
> > 26Feb2025 at 11:59:28 (*) PCPROT: Bad Spot G7NUT on 14074.6 by
> > F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 27 hops
> > 26Feb2025 at 11:59:55 (*) PCPROT: Bad Spot NK9NLD on 28475.0 by
> > HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 25 hops
> > 26Feb2025 at 12:10:59 (*) PCPROT: Bad Spot M7GJO on 14076.0 by
> > F4BJN(79.92.250.148)@DO5SSB-2 User F4BJN not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 25 hops
> > 26Feb2025 at 12:11:32 (*) PCPROT: Bad Spot GM3RIC on 18135.0 by
> > IZ1HHT(213.45.237.111)@DO5SSB-2 User IZ1HHT not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 26 hops
> > 26Feb2025 at 12:13:40 (*) PCPROT: Bad Spot EA4HPY on 28514.0 by
> > HA7DF(145.236.161.131)@DO5SSB-2 User HA7DF not on node DO5SSB-2, 
> > DUMPED via RW3XA-8 25
> >
> >
> > Kirill
> > R5ACQ
> >
> > 25.02.2025 20:44, Gregor Surmann via Dxspider-support :
> > > Hello guys!
> > >
> > > I have found some interesting stuff. I was seeking for the 
> > > information, if my SSID/Call was forged. Yes, it was:
> > >
> > > sysop at dxspider:~$ grepdbg "bad spot" | grep -i do5ssb
> > > 21Feb2025 at 13:03:32 (*) PCPROT: Bad Spot HF95PZK on 21074.0 by
> > > SP2MKI(150.102.129.109)@DO5SSB-2 User SP2MKI not on node DO5SSB-2 
> > > via
> > > F3KT-3 25 hops
> > >
> > > sysop at dxspider:~$ grepdbg HF95PZK | grep -i SP2MKI
> > > 21Feb2025 at 05:53:38 (*) PCPROT: Bad Spot HF95PZK on 3573.0 by
> > > SP2MKI(81.89.113.246)@JG1VGX-8 User SP2MKI not on node JG1VGX-8 
> > > via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 05:53:38 (progress) SPOT: HF95PZK on 3573.0 @ 0553Z by
> > > SP2MKI(81.89.113.246)@JG1VGX-8 '95th PZK - 100th IARU FT8' route:
> > > ON4KST-2
> > > 21Feb2025 at 06:47:40 (*) PCPROT: Bad Spot HF95PZK on 7074.0 by
> > > SP2MKI(145.89.214.218)@ON4KST-2 User SP2MKI not on node ON4KST-2 
> > > via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 06:47:40 (progress) SPOT: HF95PZK on 7074.0 @ 0647Z by
> > > SP2MKI(145.89.214.218)@ON4KST-2 'ft8 95th PZK - 100th IARU' route:
> > > ON4KST-2
> > > 21Feb2025 at 08:48:22 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > > SP2MKI(54.225.51.18)@EA4FIT-2 User SP2MKI not on node EA4FIT-2 via
> > > ON4KST-2 28 hops
> > > 21Feb2025 at 08:48:22 (progress) SPOT: HF95PZK on 7047.0 @ 0848Z by
> > > SP2MKI(54.225.51.18)@EA4FIT-2 '95th PZK - 100th IARU FT4' route: 
> > > ON4KST-2
> > > 21Feb2025 at 09:10:13 (*) PCPROT: Bad Spot HF95PZK on 14080.0 by
> > > SP2MKI(36.134.227.136)@IV3SCP-6 User SP2MKI not on node IV3SCP-6 
> > > via
> > > F6KVP-3 26 hops
> > > [...more...spots...]
> > > 21Feb2025 at 22:44:41 (*) PCPROT: Bad Spot HF95PZK on 7047.0 by
> > > SP2MKI(59.181.166.39)@SM7IUN-3 User SP2MKI not on node SM7IUN-3 
> > > via
> > > ON4KST-2 28 hops
> > >
> > > sysop at dxspider:~$ grepdbg 150.102.129.109 sysop at dxspider:~$
> > >
> > > So, there was never a user with the IP 150.102.129.109 here, but 
> > > the spot originated at DO5SSB-2, strange.
> > >
> > > This means, that someone is injecting packets at some point in the 
> > > network, without being on the node itself, not before, not while 
> > > and not after the spot.
> > >
> > > Or, maybe the famous VE7CC-1 is doing nasty stuff?
> > >
> > > All of the IPs do exist in the global BGP routing, many of them 
> > > are in AWS or other data centers.
> > >
> > > But probably none of the IPs are from the countries the callsign is
in.
> > >
> > > So, either someone is using the clusters and faking spots, or 
> > > someone is injecting PC messages somewhere.
> > >
> > > 73 de Gregor, DO5SSB
> > >
> > > _______________________________________________
> > > Dxspider-support mailing list
> > > Dxspider-support at tobit.co.uk
> > > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
> >
> > _______________________________________________
> > Dxspider-support mailing list
> > Dxspider-support at tobit.co.uk
> > https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> >
> 




_______________________________________________
Dxspider-support mailing list
Dxspider-support at tobit.co.uk
https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support

More information about the Dxspider-support mailing list