Since a few months, many organisations have urls in incoming mail rewritten to be redirected through a checking service (Outlook Safelinks, Proofoint, FireEye, Black Spider/Forcepoint). Because this makes links in text emails almost unreadable and because of archival considerations, I ‘unrewrite’ these before archiving the emails. This is fairly straightforward with most services. However, with Black Spider, I have no clue how to unencode it.
I (only) have the following plain and rewritten urls:
https://ac.erikquaeghebeur.name
http://hybrid-web.global.blackspider.com/urlwrap/?q=AXicDcm9DcIwEAbQT2ICFrk4gCmogAEossHhnHCCf8LZicSMdFS0bAKvfesVxjfw-QIanu2mp6ILRR6Cy6lqDuRyhLG7k5jzxdj9trUIuY7yDy_pyLFU0Z4jpQBf61QOTcOORIf7Y2a5ebnKrJQ4CoDuBfwAuCYmZA&Z
So the string AXicDcm9DcIwEAbQT2ICFrk4gCmogAEossHhnHCCf8LZicSMdFS0bAKvfesVxjfw-QIanu2mp6ILRR6Cy6lqDuRyhLG7k5jzxdj9trUIuY7yDy_pyLFU0Z4jpQBf61QOTcOORIf7Y2a5ebnKrJQ4CoDuBfwAuCYmZA&Z
must be decoded.
What I tried is unencoding assuming base64url encoding, guessing the final &Z
can be dropped, because it is some extra information added by the rewriting service. I tried it using an on-line decoder and it did not work, i.e., it returned non-ASCII characters.
- Does anyone know, or can anyone figure out which encoding is being used?
- Or, does anyone know whether it is not an encoding, but just some string (hash?) mapping to the url in Forcepoint's server?