Initial commit

.gitignore

@@ -0,0 +1,4 @@
+.DS_Store
+messages-organized
+messages-organized.zip
+messages-split

LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2018, The Associated Press
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

README.md

@@ -0,0 +1,67 @@
+# DKIM verification script #
+
+Reporters often need to verify the authenticity of leaked emails, and one
+increasingly popular technique is to check those emails' [DKIM signatures][],
+as [ProPublica documented so well in 2017][].
+
+The ProPublica post explains how to do this for individual messages, but for
+[a recent story][], The Associated Press' investigative team needed to verify
+many emails contained in an [mbox][] archive.
+
+[DKIM signatures]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
+[ProPublica documented so well in 2017]: https://www.propublica.org/nerds/authenticating-email-using-dkim-and-arc-or-how-we-analyzed-the-kasowitz-emails
+[a recent story]: https://apnews.com/d093a02a3d8a4e1b8dc7f5d19475899b
+[mbox]: https://en.wikipedia.org/wiki/Mbox
+
+## Usage ##
+
+```
+$ ./verify_dkim.sh MBOX_FILE
+```
+
+This script will create an output directory called `messages-organized`, with
+the following subdirectories:
+
+*   `messages-organized/unsigned` will contain messages that had no DKIM
+    signature at all.
+
+*   `messages-organized/signed/unverified` will contain messages that had DKIM
+    signatures, but for some reason those signatures could not be verified.
+    (This does not necessarily imply forgery; configurations can change over
+    time, and some emails servers just don't behave particularly well.)
+
+*   `messages-organized/signed/verified` will contain messages that had DKIM
+    signatures that were verified as authentic.
+
+The script also will produce two other outputs:
+
+*   `messages-split` will be a directory containing all of the original emails,
+    not organized in any particular way.
+
+*   `messages-organized.zip` will be a zipped archive of the
+    `messages-organized` directory, suitable for sending via any appropriate
+    medium.
+
+## Other potential formats ##
+
+*   If you have just one message to verify, follow the instructions in
+    [ProPublica's 2017 post][].
+
+*   If you have a directory of many individual messages, consider editing this
+    script to skip the `git mailsplit` call in the `INITIALIZATION` section.
+
+[ProPublica's 2017 post]: https://www.propublica.org/nerds/authenticating-email-using-dkim-and-arc-or-how-we-analyzed-the-kasowitz-emails
+
+## Dependencies ##
+
+*   [Git][]
+
+*   [dkimpy][] and [dnspython][] Python packages:
+
+    ```
+    $ pip install -r requirements.txt
+    ```
+
+[Git]: https://git-scm.com/
+[dkimpy]: https://launchpad.net/dkimpy
+[dnspython]: http://www.dnspython.org/

requirements.txt

@@ -0,0 +1,2 @@
+dkimpy==0.8.1
+dnspython==1.15.0

verify_dkim.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=- BASH CONFIGURATION =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+# Unofficial bash strict mode:
+# http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+IFS=$'\n\t'
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= PATHS =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+SPLIT_DIR='messages-split'
+
+OUTPUT_DIR='messages-organized'
+UNSIGNED_DIR="${OUTPUT_DIR}/unsigned"
+UNVERIFIED_DIR="${OUTPUT_DIR}/signed/unverified"
+VERIFIED_DIR="${OUTPUT_DIR}/signed/verified"
+
+INPUT_PATH="${1:-}"
+if [[ -z "${INPUT_PATH}" ]]; then
+  echo "Usage: ${0} input_file"
+  exit 1
+fi
+
+ZIP_PATH="${OUTPUT_DIR}.zip"
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=- INITIALIZATION =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+# Clean out our output.
+if [[ -e "${SPLIT_DIR}" ]]; then
+  rm -rf "${SPLIT_DIR}"
+fi
+if [[ -e "${OUTPUT_DIR}" ]]; then
+  rm -rf "${OUTPUT_DIR}"
+fi
+if [[ -e "${ZIP_PATH}" ]]; then
+  rm -rf "${ZIP_PATH}"
+fi
+
+# Split the input file into individual message files.
+mkdir -p "${SPLIT_DIR}"
+message_count=$( git mailsplit "-o${SPLIT_DIR}" "${INPUT_PATH}" )
+echo "${message_count} messages found"
+
+# Create our output directories.
+mkdir -p \
+  "${UNSIGNED_DIR}" \
+  "${UNVERIFIED_DIR}" \
+  "${VERIFIED_DIR}"
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-= DKIM VERIFICATION =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+input_message_names=$( ls -1 "${SPLIT_DIR}" )
+for input_message_name in ${input_message_names}; do
+  input_message_path="${SPLIT_DIR}/${input_message_name}"
+
+  # Check whether there's a signature at all.
+  set +e
+  sig_header=$(
+    grep \
+      --extended-regexp \
+      --max-count 1 \
+      '^DKIM-Signature: ' \
+      "${input_message_path}"
+  )
+  sig_header_exit=$?  # 0 means there were matching lines
+  set -e
+
+  # If signed:
+  if [[ "${sig_header_exit}" -eq 0 ]]; then
+    # Attempt to verify the signature.
+    set +e
+    verification_result=$(dkimverify < "${input_message_path}")
+    verification_result_exit=$?  # 0 means verification succeeded
+    set -e
+
+    # If verification succeeds:
+    if [[ "${verification_result_exit}" -eq 0 ]]; then
+      echo "${input_message_path} is signed and verified"
+      cp "${input_message_path}" "${VERIFIED_DIR}/${input_message_name}.eml"
+    # If verification fails:
+    else
+      echo "${input_message_path} is signed, but verification failed"
+      cp "${input_message_path}" "${UNVERIFIED_DIR}/${input_message_name}.eml"
+    fi
+  # If unsigned:
+  else
+    echo "${input_message_path} is unsigned"
+    cp "${input_message_path}" "${UNSIGNED_DIR}/${input_message_name}.eml"
+  fi
+done
+
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ZIP CREATION -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+zip --recurse-paths -9 "${ZIP_PATH}" "${OUTPUT_DIR}" > /dev/null
+echo "Output file created at ${ZIP_PATH}"