<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">It appears that someone took it upon
themselves to disrupt the DXCluster network over the contest
weekend. But it was nothing to do with Larry or, indeed, anyone
else that might appear, at first glance, to have done this.. <br>
<br>
Essentially someone seems to have written a bot which connects to
a node, listens for spots, then connects to one or more nodes
(WA9PIE-2 was one of them, there are clearly many others) and,
after a short pause, logs onto the victim node as the spotted
callsign, replays the original spot but now as though they have
spotted themselves. <br>
<br>
The bot (as I am pretty sure this is) was running during the
entire contest. It was located at IP address 217.61.58.23 probably
in a docker image or some such. This IP address reverse lookups to
a server in Aruba.net's cloud. The hostname
(host23-58-61-217.serverdedicati.aruba.it) suggests that it is a
dedicated server, so it may be possible to trace the "owner" at
the time, hence I am copying the ISP in (<font color="#ff0000">Aruba</font>:
see later on for an explanation). <br>
<br>
Anyway, this is the sort of interaction that one of these spots
takes:<br>
<font face="monospace"><br>
31Oct2021@23:19:02 (*) N5AW connected from 217.61.58.23<br>
31Oct2021@23:19:02 (progress) CMD: 'show/cluster ' by N5AW ip:
217.61.58.23 0mS<br>
31Oct2021@23:19:02 (progress) CMD: 'DX N5AW 21229.7' by N5AW ip:
217.61.58.23 44mS<br>
31Oct2021@23:19:02 (progress) CMD: 'bye ' by N5AW ip:
217.61.58.23 8mS</font><br>
<br>
This happens to come from WA9PIE-2, but the bot connects to
several other nodes, yielding more spots:<br>
<br>
<font face="monospace">31Oct2021@23:19:06 (progress) SPOT: EA3QP
on 7173.5 @ 2319Z by EA3QP(217.61.58.23)@N6WS-6 '' route: N7OD<br>
31Oct2021@23:19:16 (progress) SPOT: VA3MW on 7215.1 @ 2319Z by
VA3MW(217.61.58.23)@ED3ZAK-5 '' route: EA4RCH-5<br>
31Oct2021@23:19:21 (progress) SPOT: VO2NS on 14173.2 @ 2319Z by
VO2NS(217.61.58.23)@IK2XDE-6 '' route: AE5E<br>
31Oct2021@23:19:23 (progress) SPOT: K3EST on 21343.9 @ 2319Z by
K3EST(217.61.58.23)@ED3ZAK-5 '' route: EA4RCH-5<br>
31Oct2021@23:19:37 (progress) SPOT: KL7RA on 14337.9 @ 2319Z by
KL7RA(217.61.58.23)@VE9SC '' route: VE9SC<br>
31Oct2021@23:19:41 (progress) SPOT: CE6CGX on 21317.7 @ 2319Z by
CE6CGX(217.61.58.23)@DB0ERF-5 '' route: GB7DJK<br>
31Oct2021@23:19:52 (progress) SPOT: ED1R on 3786.4 @ 2319Z by
ED1R(217.61.58.23)@ON4KST-2 '' route: MX0NCA-2<br>
31Oct2021@23:19:54 (progress) SPOT: HB9H on 7174.3 @ 2319Z by
HB9H(217.61.58.23)@EA4URE-5 '' route: PI4CC<br>
31Oct2021@23:19:57 (progress) SPOT: SE0X on 1832.0 @ 2319Z by
SE0X(217.61.58.23)@EA4URE-3 '' route: PI4CC<br>
31Oct2021@23:20:08 (progress) SPOT: EW5A on 3761.0 @ 2320Z by
EW5A(217.61.58.23)@DB0ERF-5 '' route: MX0NCA-2<br>
31Oct2021@23:20:13 (progress) SPOT: LZ9W on 3790.0 @ 2320Z by
LZ9W(217.61.58.23)@UN1HQ-8 '' route: PI4CC<br>
31Oct2021@23:20:29 (progress) SPOT: VE4VT on 14253.4 @ 2320Z by
VE4VT(217.61.58.23)@ON4KST-2 '' route: GB7DJK<br>
</font><br>
There were 864 of these on Saturday and 1935 on Sunday (either
originating at WA9PIE-2 or passing through). There are almost
certainly (many?) more than this because there are many older
nodes that don't pass on IP address information.<br>
<br>
<b><font color="#ff0000">For Aruba.net</font></b>:<br>
<br>
What is a DX Cluster?:
<a class="moz-txt-link-freetext" href="https://www.amateur-radio-wiki.net/what-is-a-dx-cluster/">https://www.amateur-radio-wiki.net/what-is-a-dx-cluster/</a> and
<a class="moz-txt-link-freetext" href="https://carcbradios.com/what-is-a-dx-cluster/">https://carcbradios.com/what-is-a-dx-cluster/</a><br>
CQWW?: <a class="moz-txt-link-freetext" href="https://www.cqww.com/index.htm">https://www.cqww.com/index.htm</a><br>
Ham Radio?: <a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Amateur_radio">https://en.wikipedia.org/wiki/Amateur_radio</a><br>
<br>
To explain why this is a problem: This is a contest where one
amateur radio station contacts another somewhere in the world. A
short message is exchanged and logged. Each station has a
callsign. The winner(s) (there are several classes) are (very
basically) the stations that have the most contacts, on the most
amateur radio bands, in the most "zones". <br>
<br>
Many non-contesting stations use the opportunity of contests like
this to "work" a rare station and "spot" that station as being
active at a specific time and frequency over the cluster network.
Active contestants <i>can</i> (but rarely do) "spot" <u><b>another</b></u>
station (different callsign). Spotting yourself (<u><b>same</b></u>
callsign) means instant disqualification. <br>
<br>
The person responsible for this, has actively tried to disrupt
this highlight of the contesting calendar, by issuing fake
"self-spots". This will now require days of analysis and
adjudication by the contest committee that will have enough work
already trying to verify and cross check 35,000 contest logs.
Logs from the DXCluster network can normally be used to aid this
process. Probably not so much this year...<br>
<br>
Please would you find out who is responsible for this. <br>
<br>
Regards<br>
<br>
Dirk Koopman G1TLH<br>
Author, DXSpider cluster software.<br>
<br>
On 02/11/2021 20:52, Larry Strasser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMHia_F7-8CfKSK0+hMErO2+eGKJG--RRo9MdNze3PX8DZorUw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Nov 1, 2021, 10:01
PM Marty Sullaway <<a
href="mailto:marty.sullaway@gmail.com"
moz-do-not-send="true">marty.sullaway@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">Hi
Larry,</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">I
hope you're doing well. My name is Marty Sullaway
NN1C, and I was one of the operators at ZF1A this
weekend in the CQ WW SSB contest. </div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">We
found out this weekend that someone was
fictitiously using our callsign to self-spot ZF1A,
claiming to be ZF1A, except they were not. In looking
through Gerry/W1VE's cluster logs, I found that he got
the fictitious spots from your DXSpider node. I am
reaching out to see if you would be kind enough to
pass along your cluster log from this weekend or let
me know what node these spots originated from. The
three in question are listed below.</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">INFO
2021-10-31 18:04:30 DxSpotTelnet Exec
- [0.00813] K2LS->DX de ZF1A: 28347.1
ZF1A 1804Z<br>
<br>
INFO 2021-10-31 18:52:17 DxSpotTelnet Exec
- [0.00457] K2LS->DX de ZF1A:
21250.8 ZF1A
1852Z<br>
<br>
INFO 2021-10-31 22:49:08 DxSpotTelnet Exec
- [0.00610] K2LS->DX de ZF1A:
14297.4 ZF1A
2249Z<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">Thank
you so much in advance,</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">Marty
Sullaway</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">NN1C</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;color:rgb(68,68,68)">NN1C</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>