Yesterday Ricochet reported on a bizarre twist in a feud involving the People’s Party of Canada: a former PPC organizer said he had received an explicitly racist email from a senior executive with the party, while the party said it was a forgery.
It turns out they may both have been telling the truth.
We consulted with information technology professionals with experience in email security, providing them with the header information from all three suspect emails, along with reference emails from the PPC that are not in dispute. According to these professionals, the emails did not originate from the PPC’s email server.
There is little chance of using the emails to identify the real sender, as they came through a website and server in Germany that may have been hijacked some time ago.
Inconsistencies
“[It’s] definitely fraudulent. I can’t imagine any scenario [where] the PPC would send this way,” said Kevin Creechan, the owner of an information security company in Cambridge, Ontario, who has been working in IT since 2003 and in information security since 2012.
Matt Watson also has a “high degree of confidence” that the emails were spoofed.
He is a software developer in Victoria, B.C., with a degree in software engineering and six years of experience. He’s familiar with spoofing after dealing with a series of attempts to hijack and send spam email from a website he manages.
“I can say definitively that they were not sent through Gmail,” said Watson of the suspect PPC emails. The PPC’s email system is run through Gmail. “That doesn’t rule out the person behind that account having a second means of sending emails, but that would begin to stretch credulity.”
Ricochet provided the header information from several emails sent by PPC accounts that are not in dispute for comparison. “The reference emails are consistently signed, consistently passing, and the suspect ones are not,” said Watson.
Failed security checks
The three contested emails failed to pass two basic authenticity checks.
“SPF is the mechanism email services use to determine the validity of the SMTP gateway sending the email,” explained Watson. This check was listed as failed on the three emails, but not others sent from the PPC’s email system.
“In the reference email there is a DKIM pass,” added Watson, referring to another common security measure, “indicating the domain has a validation signature associated with it, whereas in the suspect email this is a fail and there was no signature to validate against the domain.”
Additionally, all three emails were sent from a website hosted on a server in Germany suspected of being hijacked.
“It looks like a web server that has been hacked and is being used to relay mail for itself,” said Creechan. “Someone has done that. It looks like something built specifically to do things like this. I don’t think it would ever have any purpose other than to fool someone.”
Watson agreed.
“I found reports of mailer.wilwal.com being used as an open smtp gateway, which basically means scammers can use it to send email, setting whatever ‘from’ they want.”
Anyone ‘would think they were genuine’
On the surface, the suspect emails look like they were sent from Glen Walushka, the PPC’s B.C. regional organizer, and Daniel Tyrie, the PPC’s communications director.
As Ricochet reported yesterday, the content of the contested emails appears to have been cut together from different web sources. They contain passages identical to other material Walushka has put into the public domain, including a tweet and blog post, as well as unattributed statements copied from postings by Ricardo Duchesne, a University of New Brunswick professor who espouses white nationalist views and operates a website called Council of European Canadians.
To confirm the legitimacy of the emails, Ricochet conducted a Skype session and screen share with Angelo Isidorou, the former PPC organizer, who recently quit the party over allegations of racism in its senior leadership.
He opened the emails in his inbox, opened the source code for their headers, took screenshots of each header, and then sent them directly to us.
Isidorou said he received the emails and turned them over to media outlets, believing they were genuine.
“If they’re spoofed, I would like to know to what end, and what the point of it is, and the professionals should investigate,” Isidorou told Ricochet. “Especially given whoever did this knew my email, knew I would go public with something this heinous and also had private information on Glen which they used to make the email seem more authentic, including phone numbers and emails.”
“My biggest fear is this would be used to invalidate my concerns [about racism in] the party. I think anyone who would look at these emails on a first glance would think they were genuine.”