proofpoint-url-decoder
proofpoint-url-decoder copied to clipboard
decode parameters
A Proofpoint URL takes the format of the following:
urldefense.proofpoint.com/v2/url?[params]
where [params]
consists of the following:
c
:= constant (per organization)
d
:= constant (per organization)
e
:= always empty?
m
:= ?
r
:= unique identifier tied to email address
s
:= ?
u
:= safe-encoded URL
m
might be a hash of the original URL or some metadata
s
might be a signature or checksum
Disturbingly, each URL contains a unique identifier that's tied to the individual's email address, letting the organization (that hosts the email) and Proofpoint logs when a particular user clicks on a URL and quite possibly crawl the target content.
It would be nice to understand what each parameter does and how it's encoded (or, if possible, how to decode it).