robertdavidgraham / hunter-dkim Goto Github PK
View Code? Open in Web Editor NEWDiscusses how to verify DKIM signatures in old emails, namely one of the Hunter Biden emails in the news
Discusses how to verify DKIM signatures in old emails, namely one of the Hunter Biden emails in the news
Thank you very much for publishing this repository, Robert. It's a fun diversion. :) Plus, you gave me reason to find and locate some emails I thought I'd lost. (Original pointer to this repository due to Mr. Maxwell, for which I am very grateful.)
The FAQ (which is a nice addition) says that due to being quoted-printable, there's no place to add a space. I'm not entirely sure what you mean by that.
$ diff -u Meeting\ for\ coffee.eml change-space.eml
--- Meeting for coffee.eml 2020-10-30 00:07:03.000000000 -0400
+++ change-space.eml 2020-10-30 12:50:07.000000000 -0400
@@ -46,7 +46,7 @@
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
-Dear Hunter, thank you for inviting me to DC and giving an opportunity to m=
+Dear Hunter, thank you for inviting me to DC and giving an opportunity to m=
eet your father and spent some time together. It's realty an honor and pleas=
ure.
As we spoke yesterday evening, would be great to meet today for a quick coff=
$ ./verify.py *.eml
Meeting for coffee.eml: DKIM signature verified
change-space.eml: DKIM signature verified
forgery.eml: DKIM signature verification failed
I can't imagine what problems not verifying the exact number of spaces people are worried about with this, but it certainly seems possible to add spaces and still pass verification.
Thanks for posting this repo. It's an interesting technical/intellectual exercise. I'm no expert, but I've configured and managed mail servers using DKIM for several years now and have had to do forensics on a number of e-mails with questionable lineage.
DKIM offers an effective but limited scope of integrity assurance regarding a message's content. Assuming a correct DKIM setup, a message that has a valid DKIM signature means that its contents are the same as signed by the origin mail server, prior to the mail being sent. This is different than saying the message came from the mail account holder and that it was not changed in any way.
Malicious actors don't try to circumvent DKIM; that's generally too hard. Instead, they seek to alter or inject messages into the "transit path" prior to the mail server signing and sending it. There are other ways too that don't appear to apply in this case. From the mail headers in this message, here are a few techniques that could be used to deliver a malicious e-mail that has a valid DKIM signature (they = malicious party):
I'm not trying to prove or disprove the validity of this particular message. Rather, I want to point out that DKIM is awesome but what it can tell you is limited.
As you say, this particular email says nothing except that he "met" Joe Biden, which could be as little as getting the opportunity to shake his hand. Probably more important would be to verify the May 12, 2014 email with the subject "urgent issue", which requests "advice on how you could use your influence". That would at least verify that "influence" was considered on of the key things of value that Hunter Biden was providing.
i.e. we can use DKIM to verify the sender, but can we use DKIM to verify the recepient? i.e. the To: header (which is part of the dkim hash) isn't actually used in delivery. So while, we can have be fairly sure the sender sent it when they did (or at least time boxed), can we really know who it was sent to?
i.e. I'm wondering if this statement is a little bit too absolute "the intended recipient was to the account [email protected], known to have been used by Hunter Biden". We know that was To: header, but that doesn't actually mean it was the intended recipient, if the rcpt to was to a different address.
I have little experience with cryptography but was wondering about this the other way around.
Given that we (at least for now) have a single email with headers, would brute-forcing the signature be viable and less computationally intensive than cracking the private key? E.g. randomly generating signatures until one validates?
Apparently there is a discussion on Wikipedia about this https://en.wikipedia.org/wiki/Talk:Biden%E2%80%93Ukraine_conspiracy_theory/Archive_3#DKIM_email_verification
A question some people will have when confirming this confirmation is if the provided key old google key is authentic. One way that you can check this is by checking if other contemporary known-google-signed messages were signed with the same key.
One way for any person who was using gmail back in 2015 to accomplish this is simply by validating one of their own received emails from on/around the date in question.
It's as simple as bringing up an email to you in gmail from around that date, clicking show original, and pasting the entire text output into a file. The file will then validate with the repo's script. (And indeed, it does for me on a couple messages I checked).
I was also able to check those messages against an old google-takeout dump of my entire mailbox.
Presumably other people have older published google-received messages from around that date, complete with headers. It might even be possible to find some in court records to convince people who don't have their own.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.