I
Ian Boyd
The postmark headers are of the form:
x-cr-hashedpuzzle: [b01] [b02] [b03] [b04] [b05] [b06] [b07] [b08]
[b09] [b10] [b11] [b12] [b13] [b14] [b15] [b16];n;[recipients];
Sosha1_v1;7;[PuzzleID];[sender];[datetime];[subject]
x-cr-puzzleid: [PuzzleID]
Definition
=======
[b01]-[b16]
(Unknown)
Sixteen individually base64 encoded byte values.
n
The number of recipients in the next field
[recipients]
Is a base64 encoded unicode string of the e-mail recipients. Each recipient
is semi-colon separated
"Sosha1_v1"
(Unknown)
Presumably the algorithm name.
"7"
(Unknown)
[PuzzleID]
A copy of the PuzzleID given in the x-cr-puzzleid header field
[sender]
Is a base64 encoded unicode string of the senders e-mail address
[datetime]
Date and time the e-mail was sent (saved?)
e.g. Mon, 29 May 2006 04:14:05 GMT
[subject]
Base64 encoded version of the e-mail's subject line
An example from a HP presentation on Outlook 2007:
(http://www.mreach-art.com/HP-Exchange Academy/Final C05-Outlook-V4 0-1.pdf)
x-cr-hashedpuzzle: ASam AmlY A3ly BhAS Bx+p CoEw Cv9o Cxb6
D9Qv EhJ1 FWiW Fymo Hro4 HuWC ITRj Izc3;
1;YgB5AC0AZQB4AHAAcgBlAHMAcwBpAG8AbgAtAHcAZQBiA
C0AZABlAHMAaQBnAG4AZQByAEAAZwBvAG8A
ZwBsAGUAZwByAG8AdQBwAHMALgBjAG8AbQA=;
Sosha1_v1;7;{5064D5BE-8988-439C-A862-F2A7DED6F06F};
YwBkAHcAaQBzAGUAQAB3AGkAcwBlAHIAdwBhAHkAcwAu
AGMAbwBtAA==;Mon, 29 May 2006 04:14:05 GMT;
bgBlAHcAIAB0AHUAdABvAHIAaQBhAGwA
x-cr-puzzleid: {5064D5BE-8988-439C-A862-F2A7DED6F06F}
we extract:
16 words
=============
ASam 01 26 a6
AmlY 02 69 58
A3ly 03 79 72
BhAS 06 10 12
Bx+p 07 1f a9
CoEw 0a 81 30
Cv9o 0a ff 68
Cxb6 0b 16 fa
D9Qv 0f d4 2f
EhJ1 12 12 75
FWiW 15 68 96
Fymo 17 29 a8
Hro4 1e ba 38
HuWC 1e e5 82
ITRj 21 34 63
Izc3 23 37 37
n
===
1 recipient
Recipients
=========
(e-mail address removed)
Algorithm
========
Sosha1_v1;7;
PuzzleID
=========
{5064D5BE-8988-439C-A862-F2A7DED6F06F};
Sender
=======
(e-mail address removed)
DateTime
=========
Mon, 29 May 2006 04:14:05 GMT
Subject
======
new tutorial
Remarks
======
It's odd that each of [b01]-[b16] is an individually encoded sequence of 2,
3, or 4 bytes. It's not one long Base64 encoded sequence.
It's troubling that the algorithm designer didn't hash the various e-mail
addresses before Base-64 encoding them. People aren't going to like that
they are leaking out personal information. Hashing them first has the added
benefit of making it computationally more expesive.
i still have no idea what [b01]-[b16] are. It's noteworthy that there's
always 16 of them, but odd that they're variable length. It seems that
messages with more recipients have the longer b64 words (the ones generating
8 base64 letters was 11 recipients)
x-cr-hashedpuzzle: [b01] [b02] [b03] [b04] [b05] [b06] [b07] [b08]
[b09] [b10] [b11] [b12] [b13] [b14] [b15] [b16];n;[recipients];
Sosha1_v1;7;[PuzzleID];[sender];[datetime];[subject]
x-cr-puzzleid: [PuzzleID]
Definition
=======
[b01]-[b16]
(Unknown)
Sixteen individually base64 encoded byte values.
n
The number of recipients in the next field
[recipients]
Is a base64 encoded unicode string of the e-mail recipients. Each recipient
is semi-colon separated
"Sosha1_v1"
(Unknown)
Presumably the algorithm name.
"7"
(Unknown)
[PuzzleID]
A copy of the PuzzleID given in the x-cr-puzzleid header field
[sender]
Is a base64 encoded unicode string of the senders e-mail address
[datetime]
Date and time the e-mail was sent (saved?)
e.g. Mon, 29 May 2006 04:14:05 GMT
[subject]
Base64 encoded version of the e-mail's subject line
An example from a HP presentation on Outlook 2007:
(http://www.mreach-art.com/HP-Exchange Academy/Final C05-Outlook-V4 0-1.pdf)
x-cr-hashedpuzzle: ASam AmlY A3ly BhAS Bx+p CoEw Cv9o Cxb6
D9Qv EhJ1 FWiW Fymo Hro4 HuWC ITRj Izc3;
1;YgB5AC0AZQB4AHAAcgBlAHMAcwBpAG8AbgAtAHcAZQBiA
C0AZABlAHMAaQBnAG4AZQByAEAAZwBvAG8A
ZwBsAGUAZwByAG8AdQBwAHMALgBjAG8AbQA=;
Sosha1_v1;7;{5064D5BE-8988-439C-A862-F2A7DED6F06F};
YwBkAHcAaQBzAGUAQAB3AGkAcwBlAHIAdwBhAHkAcwAu
AGMAbwBtAA==;Mon, 29 May 2006 04:14:05 GMT;
bgBlAHcAIAB0AHUAdABvAHIAaQBhAGwA
x-cr-puzzleid: {5064D5BE-8988-439C-A862-F2A7DED6F06F}
we extract:
16 words
=============
ASam 01 26 a6
AmlY 02 69 58
A3ly 03 79 72
BhAS 06 10 12
Bx+p 07 1f a9
CoEw 0a 81 30
Cv9o 0a ff 68
Cxb6 0b 16 fa
D9Qv 0f d4 2f
EhJ1 12 12 75
FWiW 15 68 96
Fymo 17 29 a8
Hro4 1e ba 38
HuWC 1e e5 82
ITRj 21 34 63
Izc3 23 37 37
n
===
1 recipient
Recipients
=========
(e-mail address removed)
Algorithm
========
Sosha1_v1;7;
PuzzleID
=========
{5064D5BE-8988-439C-A862-F2A7DED6F06F};
Sender
=======
(e-mail address removed)
DateTime
=========
Mon, 29 May 2006 04:14:05 GMT
Subject
======
new tutorial
Remarks
======
It's odd that each of [b01]-[b16] is an individually encoded sequence of 2,
3, or 4 bytes. It's not one long Base64 encoded sequence.
It's troubling that the algorithm designer didn't hash the various e-mail
addresses before Base-64 encoding them. People aren't going to like that
they are leaking out personal information. Hashing them first has the added
benefit of making it computationally more expesive.
i still have no idea what [b01]-[b16] are. It's noteworthy that there's
always 16 of them, but odd that they're variable length. It seems that
messages with more recipients have the longer b64 words (the ones generating
8 base64 letters was 11 recipients)