proofpoint-url-decoder
proofpoint-url-decoder copied to clipboard
cardi
tools to mess around with proofpoint URLs
Similar to #5, Outlook will rewrite URLs with `*[.]safelinks[.]protection[.]outlook[.]com`, so at some point you get an abomination of multiple entities rewriting each others' URLs. We should find and unwrap these,...
Sometimes the URLs are mangled multiple times, e.g., ``` https://urldefense[.]us/v2/url?u=https-3A__urldefense[.]com_v3_ ``` It used to be the case that if a URL already had the form of `http://urldefense[.]com/...`, the middlebox wouldn't...
https://twitter.com/malware_traffic/status/1043174079828770817 
A Proofpoint URL takes the format of the following: `urldefense.proofpoint.com/v2/url?[params]` where `[params]` consists of the following: `c` := constant (per organization) `d` := constant (per organization) `e` := always empty?...
When decoding emails with URLs mangled with urldefense v3, there is a little glitch: urldefense seems to add always a space after the URL, but this space is kept by...
Damn. My employer has changed the "secure" links provider, and now it's Cisco. The URLs have the following shape: ``` https://secure-web.cisco.com/1W9jhe2SGm2BNitIIaautca8rNFg8x1HzdiXH2nqdTHek8f3H2xv8js8dm9EVu3HRSeIAkMj6c2zwWFmrcG8XKsupK8sSz5j8Zog1At25XnpzkZ6gPXk6y_O4oqFgmV_OesoEEurqTsYFv_GeckTqxJ5ThIWtTBbiLD1r4AX8PGJuDI7rRGT22a-W8kVsXnYUr1LvMrOQnSufLQ5EJ3Fb95jONCil7uSQ_e0YNOA0ErMVvlvOQis-bWdOSNxEXZU1st6Ud_NKGOudW7_GI7IK_FYfJl3j-gkbzf25eF2X1KI/https%3A%2F%2Fmailchi.mp%2Fenqa%2Fenqa-bulletin-jun2024%3Fe%3D65775e6286 ``` Looks to me that they are easier to...
Based on [RFC 4155](https://www.rfc-editor.org/rfc/rfc4155#appendix-A), emails in the mbox format are delimited by something like the following (from [Wikipedia](https://en.wikipedia.org/wiki/Mbox)): ``` From MAILER-DAEMON Fri Jul 8 12:08:34 2011 ``` `decode_email.py` works on...