Off the Kuff Rotating Header Image

The truth is out there on the Ministers for Keryl email

In response to my previous post about the homophobic “Ministers for Keryl” email, a couple of commenters said that we didn’t have enough evidence to determine whether or not the email was genuine or spoofed. So, based on that feedback I’m going to provide as much information as I can to see what we can learn.

The starting point for this kind of investigation is always the full headers of the email in question, as that’s how you can tell where the email originated, what path it took, and whether there’s anything bogus in there that would point to some kind of skulduggery. Different email clients have different ways of exposing this information to you. In Gmail, you click the dropdown menu next to the Reply button, and choose Show Original:

It opens the result onto a new webpage. Here’s what I get for the header information (it also includes the full HTML and Java code for the body of the email, which I will omit here) for the infamous “Ministers for Keryl” email:

Delivered-To: cakuffner@gmail.com Received: by 10.182.14.138 with SMTP id p10csp103284obc; Mon, 9 Apr 2012 11:33:58 -0700 (PDT) Received: by 10.224.98.3 with SMTP id o3mr10492149qan.62.1333996438456; Mon, 09 Apr 2012 11:33:58 -0700 (PDT) Return-Path: bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [173.231.139.125]) by mx.google.com with ESMTP id a8si13886738qao.49.2012.04.09.11.33.58; Mon, 09 Apr 2012 11:33:58 -0700 (PDT) Received-SPF: pass (google.com: domain of bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net designates 173.231.139.125 as permitted sender) client-ip=173.231.139.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net designates 173.231.139.125 as permitted sender) smtp.mail=bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net; dkim=pass header.i=MinistersForKerylDouglas=3Dyahoo.com@mail125.us2.mcsv.net DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail125.us2.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=MinistersForKerylDouglas=3Dyahoo.com@mail125.us2.mcsv.net; bh=Sr1KnAmgb/3XEASAZvhocc4+cHA=; b=e8rsMzkHmbg1qzZiRx3SVuTNq5fJ+NWjB9WsTd3YN9fjRK993EOa0se1P/HqnGMUrZo7TDF89H1P s/qbDgg95CMhYHYNMTdiTNVadBsT1jwdiuD27q8aiV19GoCpnVNAfRNEHBzWwHS3YgGcKTPm8QQY l6NzRMBaP+rqmgGZB38= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail125.us2.mcsv.net; b=cSuqm0G7Gnm0HemlKLpwfQT4dJyqIgwcVV31ziTnSK/G4jsWl8OlFm47bvAh7AmNkLTdCrZyH7mX gOMZ8an++wh/JMBIdozWwfDEzTCcjXn+BfIqOqe/88wB3xHP+qhGdPAWgUGbzEvxjfzJJGrv90cv c/2qL94pTDyNSTyRlYE=; Received: from (127.0.0.1) by mail125.us2.mcsv.net (PowerMTA(TM) v3.5r16) id hgclpc11djob for cakuffner@gmail.com; Mon, 9 Apr 2012 18:29:05 +0000 (envelope-from bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net) Subject: =?utf-8?Q?Support=20Keryl=20Douglas=20for=20Harris=20Democratic=20Chair?= From: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com Reply-To: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com To: cakuffner@gmail.com Date: Mon, 9 Apr 2012 18:29:05 +0000 Message-ID: 83ae24d69daa2a0b2455947fc65e3510466.20120409182858@mail125.us2.mcsv.net X-Mailer: MailChimp Mailer - **CID03a4f8c00a65e3510466** X-Campaign: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a X-campaignid: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a x-im: 38509-03a4f8c00a X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=83ae24d69daa2a0b2455947fc&id=03a4f8c00a&e=65e3510466 x-accounttype: ff List-Unsubscribe: mailto:unsubscribe-83ae24d69daa2a0b2455947fc-03a4f8c00a-65e3510466@mailin1.us2.mcsv.net?subject=unsubscribe, http://keryldouglascampaign.us4.list-manage2.com/unsubscribe?u=83ae24d69daa2a0b2455947fc&id=0c4af39c85&e=65e3510466&c=03a4f8c00a>\ Sender: "Rev. Willie J. Howard" MinistersForKerylDouglas=yahoo.com@mail125.us2.mcsv.net x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_1217078024" MIME-Version: 1.0

That may look like a lot of gobbledegook if you’re not a techie, but there are a few important things to highlight. Where it says “Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [173.231.139.125])”, the key things are that “mail125.us2.mcsv.net” appears to be a MailChimp server – “mcsv.net” resolves to http://mailchimp.com/about/mcsv/ if you plug it into a browser – and that 173.231.139.125 is indeed the IP address for mail125.us2.mcsv.net – open a command prompt and do “ping -a 173.231.139.125″ to see for yourself. We can therefore say that the email does appear to have originated with MailChimp, which as Noel Freeman noted in that Dallas Voice story was what the GLBT Political Caucus used to make the accusation that the email came from Keryl Douglas’ campaign.

That’s not enough for a conviction. As commenter Paul said to me in an email, it would be nice to be able to compare these headers to those from an email known to have come from a campaign via MailChimp. As it happens, I have several of those from the Keryl Douglas campaign in my mailbox. Here are the headers from the most recent one, dated January 23.

Delivered-To: cakuffner@gmail.com Received: by 10.182.81.230 with SMTP id d6cs32291oby; Mon, 23 Jan 2012 01:04:06 -0800 (PST) Received: by 10.224.168.84 with SMTP id t20mr7916103qay.2.1327309445041; Mon, 23 Jan 2012 01:04:05 -0800 (PST) Return-Path: bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net Received: from mail120.us2.mcsv.net (mail120.us2.mcsv.net. [173.231.139.120]) by mx.google.com with ESMTP id d10si4311876qcx.187.2012.01.23.01.04.04; Mon, 23 Jan 2012 01:04:05 -0800 (PST) Received-SPF: pass (google.com: domain of bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net designates 173.231.139.120 as permitted sender) client-ip=173.231.139.120; Authentication-Results: mx.google.com; spf=pass (google.com: domain of bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net designates 173.231.139.120 as permitted sender) smtp.mail=bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net; dkim=pass header.i=KerylDouglasforHCDP=3Dgmail.com@mail120.us2.mcsv.net DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail120.us2.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=KerylDouglasforHCDP=3Dgmail.com@mail120.us2.mcsv.net; bh=ntfeE12aE8Vd8ky8gyVOZYlgy90=; b=Al+GShpwJsaGcDiox+RHHVKr5LzftL/sSCdd0QZU0cx5LSN4DfPotIhBZYHDdziUBgtQMuUFWxpD /REnpk1Yrbj0Gz1kHdwFP1zwbluQEtuLmF6rT/YxtyyEvxZ0Mhm+RBIhos6HK8CIIk6vdYim6eZH otqd3xPJvpYJYeJ6e0E= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail120.us2.mcsv.net; b=Bfe7MCVMbSbZ19eaGOTOAUNNM6I4j/GcRXpswVR8oRDBH9Q9LOBDgF46wxn2bwl5Rx0Ngp+dV0Os Qb/K1+ZpYiaVrBSnmcqS82b5ojXxvPcnnM/u9cn7ai9b8vu1QAW+u5LYeX4/G6qQOqKl9y2paef/ /BUOIjno3/IXcKSQAjM=; Received: from (127.0.0.1) by mail120.us2.mcsv.net (PowerMTA(TM) v3.5r16) id h3kh8811djoh for cakuffner@gmail.com; Mon, 23 Jan 2012 09:03:58 +0000 (envelope-from bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net) Subject: =?utf-8?Q?You=20can=20repeat=20history=20in=202012=21?= From: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com Reply-To: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com To: cakuffner@gmail.com Date: Mon, 23 Jan 2012 09:03:58 +0000 Message-ID: d87e28aeb03746ebd23666dd05f508aea06.20120123090345@mail120.us2.mcsv.net X-Mailer: MailChimp Mailer - **CID0160311a9e5f508aea06** X-Campaign: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e X-campaignid: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e x-im: 38509-0160311a9e X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=d87e28aeb03746ebd23666dd0&id=0160311a9e&e=5f508aea06 x-accounttype: ff List-Unsubscribe: mailto:unsubscribe-d87e28aeb03746ebd23666dd0-0160311a9e-5f508aea06@mailin1.us2.mcsv.net?subject=unsubscribe, http://democrats.us4.list-manage.com/unsubscribe?u=d87e28aeb03746ebd23666dd0&id=7151477e83&e=5f508aea06&c=0160311a9e Sender: "Keryl L. Douglas Campaign" KerylDouglasforHCDP=gmail.com@mail120.us2.mcsv.net x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_1410715978" MIME-Version: 1.0

They look more or less the same; the IP address and mail server in the “Received from” match up as before. The main difference I see is in the “List-Unsubscribe” line; where the Douglas campaign email has “http://democrats.us4.list-manage.com/unsubscribe”, the Ministers for Keryl email has “http://keryldouglascampaign.us4.list-manage2.com”. (Those addresses also resolve to the MailChimp domain, by the way.) I wondered what that might mean, so I checked a couple of other MailChimp campaign emails I have. There’s one from the Elaine Palmer campaign dated February 6 for which the List-Unsubscribe is “http://ElaineHPalmerforJudge.us4.list-manage2.com/unsubscribe”, and one from the Andrew Burks for City Council campaign dated December 22 for which the List-Unsubscribe is “http://andrewburksforhouston.us4.list-manage.com/unsubscribe”. Seems pretty clear to me.

Again, not enough for a conviction, but nothing that would lead to an acquittal, either. I think we’re at the limit of what I can tell from the emails, but we can certainly get closer to the truth than this. Since everything indicates that the Ministers For Keryl email did come via MailChimp, then the next step is to ask them to check their logs to see what they can say about where it originated. I doubt they’d turn that information over without a paid account or a subpoena, neither of which I have. Not that it really matters, since I don’t have the bandwidth to pursue this any further, but there are surely other parties who ought to be able to. Keryl Douglas, who according to Noel Freeman claimed at her press conference that her account had been hacked, would presumably be interested in ferreting out the truth if she really has been victimized. Having formally accused her of being responsible, the GLBT Political Caucus might want to get an answer. And of course, a professional reporter might want to take advantage of the resources that a professional newsgathering organization could bring to bear on the matter. My point is that this isn’t another he-said/she-said dispute, and it should not be treated as one. There’s an objective answer to this question, and while we may not be able to answer it definitively, we can at least narrow down the objective possibilities. Wouldn’t that be nice?

Related Posts:

5 Comments

  1. Paul Havlak says:

    Now, if the links at the end of the emails are constructed by MailChimp (as claimed by the Dallas Voice), and not user-editable, then that would confirm that both the “ministers” emails and official KD campaign ones came from the same account.

    That would further narrow the question to one of authorized vs. unauthorized use of the KD campaign account.

  2. Michael Croft says:

    I have a ticket in to mail chimp’s abuse group.

    It’s got a different campaign ID, which is mailchimp’s unique identifier that ties it back to who paid for it.

    I’ll let you know what they say.

  3. […] More from Kuffer today on the source of the hate email. […]

  4. Temple Houston says:

    Thank you for following up on this matter. Whether this is the result of someone hacking the Keryl Douglas campaign’s email or that someone connected with that campaign wasn’t quite as sharp as they thought, this tactic stinks and the people behind it need to be exposed.

  5. […] we really don’t know who sent that “Ministers for Keryl” email. All that fancy analysis of the headers tells us is that the email was sent via MailChimp. We can’t determine anything further from […]

Bookmark and Share