From: Lemming <l3mst0r@btinternet.com>
Subject: No proof, just evidence.
Date: Wednesday, March 15, 2000 12:23 PM


>"Derek Smart" <dsmart@pobox.com> wrote 

>> (b) I did *not* forge *any* email and you have *never* been able to
>> offer *any* proof of said premise. Your friend, Trainman50, sent me
>> threatening email, containing a racist remark. When I made the email
>> public and threatened to go to the FBI, he said that he didn't say any
>> such thing and then *disappeared* without providing the original email
>> he claimed to have.

TO be fair, I've not seen anyone provide any proof that Smart forged
the second mail, although I've seen various commentaries about it.
I've wanted to see the original posts for some time, so that I could
examine them for myself.  Today was the first time I've seen a link to
them (Thanks DAKTARI!) and so I had a look for myself.

However, I can't provide "proof" either, but I can provide strong
evidence that the second email was doctored.  The reader will have to
decide for him/herself.

Let's remind ourselves of the two versions of the email.  

The first, posted by Smart reads :-

8<--------------[begin include]--------------(Mail-1)
Return-Path: <trainman50@mailcity.com> 
Received: from growl.pobox.com ([208.210.124.27]) 
        by mx9.mindspring.com (Mindspring Mail Service) with ESMTP id
rsi8ot.mkv.37kbi17 
        for <dereksmart@mindspring.com>; Sun, 29 Aug 1999 08:10:05
-0400 (EDT) 
Received: by growl.pobox.com (Postfix, from userid 15) 
        id 043EAC5D6; Sun, 29 Aug 1999 08:10:05 -0400 (EDT) 
Received: from mailcity.com (fes-qout.whowhere.com [209.1.236.7])
by growl.pobox.com (Postfix) with SMTP id 99B18C5D6 
        for <dsmart@pobox.com>; Sun, 29 Aug 1999 08:10:04 -0400 (EDT) 
Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Sun Aug 29
05:09:54 1999 
To: dsmart@pobox.com 
Date: Sun, 29 Aug 1999 07:09:54 -0500 
From: "Trainman50" <trainman50@mailcity.com> 
Message-ID: <GMDDELLHBBCHBAAA@mailcity.com> 
Mime-Version: 1.0 
Cc: 
X-Sent-Mail: off 
Reply-To: 
X-Mailer: MailCity Service 
Subject: Visit 
X-Sender-Ip: 209.214.52.55 
Organization: MailCity  (http://www.mailcity.lycos.com:80) 
Content-Type: text/plain; charset=us-ascii 
Content-Language: en 
Content-Length: 248 
Content-Transfer-Encoding: 7bit 
 
As a veteran I would like to come to your house an have a talk with
you about your game....could you give you address please
---
Trainman50
8<--------------[end include]-----------------(Mail-1)

The second, also posted by Smart some time later reads :-

8<--------------[begin include]---------------(Mail-2)
> To: dsmart@pobox.com
> Date: Sun, 29 Aug 1999
> From: "Trainman50" <censored>
> Mime-Version: 1.0
> Cc:
> X-Sent-Mail: off
> Reply-To:
> X-Mailer: MailCity Service
> Subject: Visit
> X-Sender-Ip: 209.214.52.55
> Organization: MailCity (http://www.mailcity.lycos.com:80)
> Content-Type: text/plain; charset=us-ascii
> Content-Language: en
> Content-Length: 248
> Content-Transfer-Encoding: 7bit
>
> As a veteran I would like to come to your house an have a talk with
> you about your game....could you give you address please. My friend
> and I, the vet you insulted and the KKK are always looking for fresh
> meat.
> ---
> Trainman50
>
> Get your FREE Email at http://mailcity.lycos.com
> Get your PERSONALIZED START PAGE at http://my.lycos.com
8<--------------[end include]-----------------(Mail-2)

Smart says that the second one is the complete version, and that he
messed up when snipping out the mailcity trailers.  Others have
pointed out that despite this, Trainman50's sig appears.  I'm sure we
can all imagine scenarios where this could happen, so I'm not even
going to consider this part of the argument.  

In this post I intend to focus on the content length.

If you check the original posts on Deja, you sill see that Mail-1 had
no word wrap, although Mail-2 did.  This is significant when
considering the messaage length, as the content-length field will
inclode a single octet for the end of line (irrespective of the actual
representation).  What this means is that on systems which use CRLF to
terminate a line, and systems which use simply LF, the content-length
will remain the same.  HEnce we only count an end of line character
when we get to the point where Trainman hit the return key or where
his mailer added lines.

The content-length counts all characters from the end of the last
header line, to the end of the message.  In other words, they
represent the body of the message.

The Mail-1 body with the mailcity footers re-attached is as follows :-

8<---------------[begin]------------------------------
1:
2:As a veteran I would like to come to your house an have a talk with
you about your game....could you give you address please
3:---
4:Trainman50
5:
6:Get your FREE Email at http://mailcity.lycos.com
7:Get your PERSONALIZED START PAGE at http://my.lycos.com
8<---------------[end]---------------------------------

The character count for each line is :-

1:   0 (+ 1 for end of line)
2: 124 (+ 1)
3:   3 (+ 1)
4:  10 (+ 1)
5:   0 (+ 1)
6:  48 (+ 1)
7:  56 (+ 1)
   ===
   241 (+ 7) = 248
   ===         ===

The body of the second mail is :-

8<---------------[begin]------------------------------
1:
2 :As a veteran I would like to come to your house an have a talk with
3:you about your game....could you give you address please. My friend
4:and I, the vet you insulted and the KKK are always looking for fresh
5:meat.
6:---
7:Trainman50
8:
9:Get your FREE Email at http://mailcity.lycos.com
10:Get your PERSONALIZED START PAGE at http://my.lycos.com
8<---------------[end]---------------------------------

Again,taking character counts :-

1:   0 (+ 1)
2:  67 (+ 0)
3:  67 (+ 0)
4:  68 (+ 0)
5:   5 (+ 1)
6:   3 (+ 1)
7:  10 (+ 1)
8:   0 (+ 1)
9:  48 (+ 1)
10: 56 (+ 1)
   === =====
   331 (+ 7) = 338.
   ===         ===

[Huffman edit: I found three minor errrors in the above.
start huffman's redoing the above work.]
1:   0 (+ 1)
2:  68 (+ 0)
3:  68 (+ 0)
4:  68 (+ 0)
5:   5 (+ 1)
6:   3 (+ 1)
7:  10 (+ 1)
8:   0 (+ 1)
9:  48 (+ 1)
10: 56 (+ 1)
   === =====
   327 (+ 7) = 334. 
[Huffman edit: 3 insignificant errors fixed in the above version.
The three errors were an addition error and counting errors on
line 2 and line 3.]

Now looking at the headers, which are identical for both versions of
the mail, we see the content-length field :-

Content-Length: 248

This matches the first email exactly, and does not match the second.

This is strong evidence to suggest that the non-racist "Mail-1" is the
real one, and that "Mail-2" is the forgery.

Regards,

Derek Sorensen
--
References :-
RFC 821 - Simple Mail Transfer Protocol
RFC 822 - Standard for the format of ARPA Internet text messages
RFC1869 - SMTP Service Extensions
RFC1939 - Post Office Protocol 3