In response to my previous post about the homophobic “Ministers for Keryl” email, a couple of commenters said that we didn’t have enough evidence to determine whether or not the email was genuine or spoofed. So, based on that feedback I’m going to provide as much information as I can to see what we can learn.
The starting point for this kind of investigation is always the full headers of the email in question, as that’s how you can tell where the email originated, what path it took, and whether there’s anything bogus in there that would point to some kind of skulduggery. Different email clients have different ways of exposing this information to you. In Gmail, you click the dropdown menu next to the Reply button, and choose Show Original:
It opens the result onto a new webpage. Here’s what I get for the header information (it also includes the full HTML and Java code for the body of the email, which I will omit here) for the infamous “Ministers for Keryl” email:
Delivered-To: cakuffner@gmail.com
Received: by 10.182.14.138 with SMTP id p10csp103284obc;
Mon, 9 Apr 2012 11:33:58 -0700 (PDT)
Received: by 10.224.98.3 with SMTP id o3mr10492149qan.62.1333996438456;
Mon, 09 Apr 2012 11:33:58 -0700 (PDT)
Return-Path: bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net
Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [173.231.139.125])
by mx.google.com with ESMTP id a8si13886738qao.49.2012.04.09.11.33.58;
Mon, 09 Apr 2012 11:33:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net designates 173.231.139.125 as permitted sender) client-ip=173.231.139.125;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net designates 173.231.139.125 as permitted sender) smtp.mail=bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net; dkim=pass header.i=MinistersForKerylDouglas=3Dyahoo.com@mail125.us2.mcsv.net
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail125.us2.mcsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=MinistersForKerylDouglas=3Dyahoo.com@mail125.us2.mcsv.net;
bh=Sr1KnAmgb/3XEASAZvhocc4+cHA=;
b=e8rsMzkHmbg1qzZiRx3SVuTNq5fJ+NWjB9WsTd3YN9fjRK993EOa0se1P/HqnGMUrZo7TDF89H1P
s/qbDgg95CMhYHYNMTdiTNVadBsT1jwdiuD27q8aiV19GoCpnVNAfRNEHBzWwHS3YgGcKTPm8QQY
l6NzRMBaP+rqmgGZB38=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail125.us2.mcsv.net;
b=cSuqm0G7Gnm0HemlKLpwfQT4dJyqIgwcVV31ziTnSK/G4jsWl8OlFm47bvAh7AmNkLTdCrZyH7mX
gOMZ8an++wh/JMBIdozWwfDEzTCcjXn+BfIqOqe/88wB3xHP+qhGdPAWgUGbzEvxjfzJJGrv90cv
c/2qL94pTDyNSTyRlYE=;
Received: from (127.0.0.1) by mail125.us2.mcsv.net (PowerMTA(TM) v3.5r16) id hgclpc11djob for cakuffner@gmail.com; Mon, 9 Apr 2012 18:29:05 +0000 (envelope-from bounce-mc.us4_9329605.111797-cakuffner=gmail.com@mail125.us2.mcsv.net)
Subject: =?utf-8?Q?Support=20Keryl=20Douglas=20for=20Harris=20Democratic=20Chair?=
From: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com
Reply-To: =?utf-8?Q?Rev.=20Willie=20J.=20Howard?= MinistersForKerylDouglas@yahoo.com
To: cakuffner@gmail.com
Date: Mon, 9 Apr 2012 18:29:05 +0000
Message-ID: 83ae24d69daa2a0b2455947fc65e3510466.20120409182858@mail125.us2.mcsv.net
X-Mailer: MailChimp Mailer - **CID03a4f8c00a65e3510466**
X-Campaign: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a
X-campaignid: mailchimp83ae24d69daa2a0b2455947fc.03a4f8c00a
x-im: 38509-03a4f8c00a
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=83ae24d69daa2a0b2455947fc&id=03a4f8c00a&e=65e3510466
x-accounttype: ff
List-Unsubscribe: mailto:unsubscribe-83ae24d69daa2a0b2455947fc-03a4f8c00a-65e3510466@mailin1.us2.mcsv.net?subject=unsubscribe, http://keryldouglascampaign.us4.list-manage2.com/unsubscribe?u=83ae24d69daa2a0b2455947fc&id=0c4af39c85&e=65e3510466&c=03a4f8c00a>\
Sender: "Rev. Willie J. Howard" MinistersForKerylDouglas=yahoo.com@mail125.us2.mcsv.net
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_1217078024"
MIME-Version: 1.0
That may look like a lot of gobbledegook if you’re not a techie, but there are a few important things to highlight. Where it says “Received: from mail125.us2.mcsv.net (mail125.us2.mcsv.net. [173.231.139.125])”, the key things are that “mail125.us2.mcsv.net” appears to be a MailChimp server – “mcsv.net” resolves to http://mailchimp.com/about/mcsv/ if you plug it into a browser – and that 173.231.139.125 is indeed the IP address for mail125.us2.mcsv.net – open a command prompt and do “ping -a 173.231.139.125” to see for yourself. We can therefore say that the email does appear to have originated with MailChimp, which as Noel Freeman noted in that Dallas Voice story was what the GLBT Political Caucus used to make the accusation that the email came from Keryl Douglas’ campaign.
That’s not enough for a conviction. As commenter Paul said to me in an email, it would be nice to be able to compare these headers to those from an email known to have come from a campaign via MailChimp. As it happens, I have several of those from the Keryl Douglas campaign in my mailbox. Here are the headers from the most recent one, dated January 23.
Delivered-To: cakuffner@gmail.com
Received: by 10.182.81.230 with SMTP id d6cs32291oby;
Mon, 23 Jan 2012 01:04:06 -0800 (PST)
Received: by 10.224.168.84 with SMTP id t20mr7916103qay.2.1327309445041;
Mon, 23 Jan 2012 01:04:05 -0800 (PST)
Return-Path: bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net
Received: from mail120.us2.mcsv.net (mail120.us2.mcsv.net. [173.231.139.120])
by mx.google.com with ESMTP id d10si4311876qcx.187.2012.01.23.01.04.04;
Mon, 23 Jan 2012 01:04:05 -0800 (PST)
Received-SPF: pass (google.com: domain of bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net designates 173.231.139.120 as permitted sender) client-ip=173.231.139.120;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net designates 173.231.139.120 as permitted sender) smtp.mail=bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net; dkim=pass header.i=KerylDouglasforHCDP=3Dgmail.com@mail120.us2.mcsv.net
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail120.us2.mcsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=KerylDouglasforHCDP=3Dgmail.com@mail120.us2.mcsv.net;
bh=ntfeE12aE8Vd8ky8gyVOZYlgy90=;
b=Al+GShpwJsaGcDiox+RHHVKr5LzftL/sSCdd0QZU0cx5LSN4DfPotIhBZYHDdziUBgtQMuUFWxpD
/REnpk1Yrbj0Gz1kHdwFP1zwbluQEtuLmF6rT/YxtyyEvxZ0Mhm+RBIhos6HK8CIIk6vdYim6eZH
otqd3xPJvpYJYeJ6e0E=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail120.us2.mcsv.net;
b=Bfe7MCVMbSbZ19eaGOTOAUNNM6I4j/GcRXpswVR8oRDBH9Q9LOBDgF46wxn2bwl5Rx0Ngp+dV0Os
Qb/K1+ZpYiaVrBSnmcqS82b5ojXxvPcnnM/u9cn7ai9b8vu1QAW+u5LYeX4/G6qQOqKl9y2paef/
/BUOIjno3/IXcKSQAjM=;
Received: from (127.0.0.1) by mail120.us2.mcsv.net (PowerMTA(TM) v3.5r16) id h3kh8811djoh for cakuffner@gmail.com; Mon, 23 Jan 2012 09:03:58 +0000 (envelope-from bounce-mc.us4_7332577.43837-cakuffner=gmail.com@mail120.us2.mcsv.net)
Subject: =?utf-8?Q?You=20can=20repeat=20history=20in=202012=21?=
From: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com
Reply-To: =?utf-8?Q?Keryl=20L.=20Douglas=20Campaign?= KerylDouglasforHCDP@gmail.com
To: cakuffner@gmail.com
Date: Mon, 23 Jan 2012 09:03:58 +0000
Message-ID: d87e28aeb03746ebd23666dd05f508aea06.20120123090345@mail120.us2.mcsv.net
X-Mailer: MailChimp Mailer - **CID0160311a9e5f508aea06**
X-Campaign: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e
X-campaignid: mailchimpd87e28aeb03746ebd23666dd0.0160311a9e
x-im: 38509-0160311a9e
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=d87e28aeb03746ebd23666dd0&id=0160311a9e&e=5f508aea06
x-accounttype: ff
List-Unsubscribe: mailto:unsubscribe-d87e28aeb03746ebd23666dd0-0160311a9e-5f508aea06@mailin1.us2.mcsv.net?subject=unsubscribe, http://democrats.us4.list-manage.com/unsubscribe?u=d87e28aeb03746ebd23666dd0&id=7151477e83&e=5f508aea06&c=0160311a9e
Sender: "Keryl L. Douglas Campaign" KerylDouglasforHCDP=gmail.com@mail120.us2.mcsv.net
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_1410715978"
MIME-Version: 1.0
They look more or less the same; the IP address and mail server in the “Received from” match up as before. The main difference I see is in the “List-Unsubscribe” line; where the Douglas campaign email has “http://democrats.us4.list-manage.com/unsubscribe”, the Ministers for Keryl email has “http://keryldouglascampaign.us4.list-manage2.com”. (Those addresses also resolve to the MailChimp domain, by the way.) I wondered what that might mean, so I checked a couple of other MailChimp campaign emails I have. There’s one from the Elaine Palmer campaign dated February 6 for which the List-Unsubscribe is “http://ElaineHPalmerforJudge.us4.list-manage2.com/unsubscribe”, and one from the Andrew Burks for City Council campaign dated December 22 for which the List-Unsubscribe is “http://andrewburksforhouston.us4.list-manage.com/unsubscribe”. Seems pretty clear to me.
Again, not enough for a conviction, but nothing that would lead to an acquittal, either. I think we’re at the limit of what I can tell from the emails, but we can certainly get closer to the truth than this. Since everything indicates that the Ministers For Keryl email did come via MailChimp, then the next step is to ask them to check their logs to see what they can say about where it originated. I doubt they’d turn that information over without a paid account or a subpoena, neither of which I have. Not that it really matters, since I don’t have the bandwidth to pursue this any further, but there are surely other parties who ought to be able to. Keryl Douglas, who according to Noel Freeman claimed at her press conference that her account had been hacked, would presumably be interested in ferreting out the truth if she really has been victimized. Having formally accused her of being responsible, the GLBT Political Caucus might want to get an answer. And of course, a professional reporter might want to take advantage of the resources that a professional newsgathering organization could bring to bear on the matter. My point is that this isn’t another he-said/she-said dispute, and it should not be treated as one. There’s an objective answer to this question, and while we may not be able to answer it definitively, we can at least narrow down the objective possibilities. Wouldn’t that be nice?
Now, if the links at the end of the emails are constructed by MailChimp (as claimed by the Dallas Voice), and not user-editable, then that would confirm that both the “ministers” emails and official KD campaign ones came from the same account.
That would further narrow the question to one of authorized vs. unauthorized use of the KD campaign account.
I have a ticket in to mail chimp’s abuse group.
It’s got a different campaign ID, which is mailchimp’s unique identifier that ties it back to who paid for it.
I’ll let you know what they say.
Pingback: We Need to Watch Out « Camposcommunications’s Blog
Thank you for following up on this matter. Whether this is the result of someone hacking the Keryl Douglas campaign’s email or that someone connected with that campaign wasn’t quite as sharp as they thought, this tactic stinks and the people behind it need to be exposed.
Pingback: We really don’t know anything about the “Ministers for Keryl” email – Off the Kuff