In response to my previous post about the homophobic “Ministers for Keryl” email, a couple of commenters said that we didn’t have enough evidence to determine whether or not the email was genuine or spoofed. So, based on that feedback I’m going to provide as much information as I can to see what we can learn.
The starting point for this kind of investigation is always the full headers of the email in question, as that’s how you can tell where the email originated, what path it took, and whether there’s anything bogus in there that would point to some kind of skulduggery. Different email clients have different ways of exposing this information to you. In Gmail, you click the dropdown menu next to the Reply button, and choose Show Original:
It opens the result onto a new webpage. Here’s what I get for the header information (it also includes the full HTML and Java code for the body of the email, which I will omit here) for the infamous “Ministers for Keryl” email:
Delivered-To: email@example.com Received: by 10.182.14.138 with SMTP id p10csp103284obc; Mon, 9 Apr 2012 11:33:58 -0700 (PDT) Received: by 10.224.98.3 with SMTP id o3mr10492149qan.62.1333996438456; Mon, 09 Apr 2012 11:33:58 -0700 (PDT) Return-Path: firstname.lastname@example.org Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [18.104.22.168]) by mx.google.com with ESMTP id a8si13886738qao.49.2012.04.09.11.33.58; Mon, 09 Apr 2012 11:33:58 -0700 (PDT) Received-SPF: pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 188.8.131.52 as permitted sender) email@example.com; dkim=pass header.i=MinistersForKerylDouglas=3Dyahoo.firstname.lastname@example.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail125.us2.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=MinistersForKerylDouglas=3Dyahoo.email@example.com; bh=Sr1KnAmgb/3XEASAZvhocc4+cHA=; b=e8rsMzkHmbg1qzZiRx3SVuTNq5fJ+NWjB9WsTd3YN9fjRK993EOa0se1P/HqnGMUrZo7TDF89H1P s/qbDgg95CMhYHYNMTdiTNVadBsT1jwdiuD27q8aiV19GoCpnVNAfRNEHBzWwHS3YgGcKTPm8QQY l6NzRMBaP+rqmgGZB38= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail125.us2.mcsv.net; b=cSuqm0G7Gnm0HemlKLpwfQT4dJyqIgwcVV31ziTnSK/G4jsWl8OlFm47bvAh7AmNkLTdCrZyH7mX gOMZ8an++wh/JMBIdozWwfDEzTCcjXn+BfIqOqe/88wB3xHP+qhGdPAWgUGbzEvxjfzJJGrv90cv c/2qL94pTDyNSTyRlYE=; Received: from (127.0.0.1) by mail125.us2.mcsv.net (PowerMTA(TM) v3.5r16) id hgclpc11djob for firstname.lastname@example.org; Mon, 9 Apr 2012 18:29:05 +0000 (envelope-from email@example.com) Subject: =?utf-8?Q?Support=20Keryl=20Douglas=20for=20Harris=20Democratic=20Chair?= From: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com Reply-To: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com To: firstname.lastname@example.org Date: Mon, 9 Apr 2012 18:29:05 +0000 Message-ID: email@example.com X-Mailer: MailChimp Mailer - **CID03a4f8c00a65e3510466** X-Campaign: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a X-campaignid: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a x-im: 38509-03a4f8c00a X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=83ae24d69daa2a0b2455947fc&id=03a4f8c00a&e=65e3510466 x-accounttype: ff List-Unsubscribe: mailto:firstname.lastname@example.org?subject=unsubscribe, http://keryldouglascampaign.us4.list-manage2.com/unsubscribe?u=83ae24d69daa2a0b2455947fc&id=0c4af39c85&e=65e3510466&c=03a4f8c00a>\ Sender: "Rev. Willie J. Howard" MinistersForKerylDouglasemail@example.com x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_1217078024" MIME-Version: 1.0
That may look like a lot of gobbledegook if you’re not a techie, but there are a few important things to highlight. Where it says “Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [184.108.40.206])”, the key things are that “mail125.us2.mcsv.net” appears to be a MailChimp server – “mcsv.net” resolves to http://mailchimp.com/about/mcsv/ if you plug it into a browser – and that 220.127.116.11 is indeed the IP address for mail125.us2.mcsv.net – open a command prompt and do “ping -a 18.104.22.168” to see for yourself. We can therefore say that the email does appear to have originated with MailChimp, which as Noel Freeman noted in that Dallas Voice story was what the GLBT Political Caucus used to make the accusation that the email came from Keryl Douglas’ campaign.
That’s not enough for a conviction. As commenter Paul said to me in an email, it would be nice to be able to compare these headers to those from an email known to have come from a campaign via MailChimp. As it happens, I have several of those from the Keryl Douglas campaign in my mailbox. Here are the headers from the most recent one, dated January 23.
Delivered-To: firstname.lastname@example.org Received: by 10.182.81.230 with SMTP id d6cs32291oby; Mon, 23 Jan 2012 01:04:06 -0800 (PST) Received: by 10.224.168.84 with SMTP id t20mr7916103qay.2.1327309445041; Mon, 23 Jan 2012 01:04:05 -0800 (PST) Return-Path: email@example.com Received: from mail120.us2.mcsv.net (mail120.us2.mcsv.net. [22.214.171.124]) by mx.google.com with ESMTP id d10si4311876qcx.187.2012.01.23.01.04.04; Mon, 23 Jan 2012 01:04:05 -0800 (PST) Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 126.96.36.199 as permitted sender) client-ip=188.8.131.52; Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 184.108.40.206 as permitted sender) firstname.lastname@example.org; dkim=pass header.i=KerylDouglasforHCDP=3Dgmail.email@example.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail120.us2.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=KerylDouglasforHCDP=3Dgmail.firstname.lastname@example.org; bh=ntfeE12aE8Vd8ky8gyVOZYlgy90=; b=Al+GShpwJsaGcDiox+RHHVKr5LzftL/sSCdd0QZU0cx5LSN4DfPotIhBZYHDdziUBgtQMuUFWxpD /REnpk1Yrbj0Gz1kHdwFP1zwbluQEtuLmF6rT/YxtyyEvxZ0Mhm+RBIhos6HK8CIIk6vdYim6eZH otqd3xPJvpYJYeJ6e0E= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail120.us2.mcsv.net; b=Bfe7MCVMbSbZ19eaGOTOAUNNM6I4j/GcRXpswVR8oRDBH9Q9LOBDgF46wxn2bwl5Rx0Ngp+dV0Os Qb/K1+ZpYiaVrBSnmcqS82b5ojXxvPcnnM/u9cn7ai9b8vu1QAW+u5LYeX4/G6qQOqKl9y2paef/ /BUOIjno3/IXcKSQAjM=; Received: from (127.0.0.1) by mail120.us2.mcsv.net (PowerMTA(TM) v3.5r16) id h3kh8811djoh for email@example.com; Mon, 23 Jan 2012 09:03:58 +0000 (envelope-from firstname.lastname@example.org) Subject: =?utf-8?Q?You=20can=20repeat=20history=20in=202012=21?= From: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com Reply-To: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com To: email@example.com Date: Mon, 23 Jan 2012 09:03:58 +0000 Message-ID: firstname.lastname@example.org X-Mailer: MailChimp Mailer - **CID0160311a9e5f508aea06** X-Campaign: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e X-campaignid: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e x-im: 38509-0160311a9e X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=d87e28aeb03746ebd23666dd0&id=0160311a9e&e=5f508aea06 x-accounttype: ff List-Unsubscribe: mailto:email@example.com?subject=unsubscribe, http://democrats.us4.list-manage.com/unsubscribe?u=d87e28aeb03746ebd23666dd0&id=7151477e83&e=5f508aea06&c=0160311a9e Sender: "Keryl L. Douglas Campaign" KerylDouglasforHCDPfirstname.lastname@example.org x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_1410715978" MIME-Version: 1.0
They look more or less the same; the IP address and mail server in the “Received from” match up as before. The main difference I see is in the “List-Unsubscribe” line; where the Douglas campaign email has “http://democrats.us4.list-manage.com/unsubscribe”, the Ministers for Keryl email has “http://keryldouglascampaign.us4.list-manage2.com”. (Those addresses also resolve to the MailChimp domain, by the way.) I wondered what that might mean, so I checked a couple of other MailChimp campaign emails I have. There’s one from the Elaine Palmer campaign dated February 6 for which the List-Unsubscribe is “http://ElaineHPalmerforJudge.us4.list-manage2.com/unsubscribe”, and one from the Andrew Burks for City Council campaign dated December 22 for which the List-Unsubscribe is “http://andrewburksforhouston.us4.list-manage.com/unsubscribe”. Seems pretty clear to me.
Again, not enough for a conviction, but nothing that would lead to an acquittal, either. I think we’re at the limit of what I can tell from the emails, but we can certainly get closer to the truth than this. Since everything indicates that the Ministers For Keryl email did come via MailChimp, then the next step is to ask them to check their logs to see what they can say about where it originated. I doubt they’d turn that information over without a paid account or a subpoena, neither of which I have. Not that it really matters, since I don’t have the bandwidth to pursue this any further, but there are surely other parties who ought to be able to. Keryl Douglas, who according to Noel Freeman claimed at her press conference that her account had been hacked, would presumably be interested in ferreting out the truth if she really has been victimized. Having formally accused her of being responsible, the GLBT Political Caucus might want to get an answer. And of course, a professional reporter might want to take advantage of the resources that a professional newsgathering organization could bring to bear on the matter. My point is that this isn’t another he-said/she-said dispute, and it should not be treated as one. There’s an objective answer to this question, and while we may not be able to answer it definitively, we can at least narrow down the objective possibilities. Wouldn’t that be nice?