Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to decode a SPAMCAUSE field in a mail header?

I'd like to decode this string: X-OVH-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfenuceurghilhhouhhtmecufedttdenucgohfhorhgsihguuggvnhfjughrucdlhedttddm

Has someone a tool or something who could do this ?

Thanks.

like image 800
Sylvain Huck Avatar asked Jan 06 '17 13:01

Sylvain Huck


1 Answers

Starting from lkraider's great answer, I improved the accuracy. It turns out that the offset characters (c..g) are alternatingly appended and prepended. So instead of just checking if one of them is in the pair, it is necessary to differentiate between, e.g., fh and hf, by keeping track of even or odd pairs.

def decode(msg):
    text = ""
    for i in range(0, len(msg), 2):
        text += unrot(msg[i: i + 2], i // 2)                    # add position as extra parameter
    return text


def unrot(pair, pos, key=ord('x')):
    if pos % 2 == 0:                                            # "even" position => 2nd char is offset
        pair = pair[1] + pair[0]                                # swap letters in pair
    offset = (ord('g') - ord(pair[0])) * 16                     # treat 1st char as offset
    return chr(sum(ord(c) for c in pair) - key - offset)        # map to original character

print(decode('gggruggvucftvghtrhho'))

https://gist.github.com/DoubleYouEl/e3de97293ce3d5452b3be7a336a06ad7

like image 169
DoubleYou Avatar answered Sep 29 '22 12:09

DoubleYou