Is it possible to decode a SPAMCAUSE field in a mail header?

Question

I'd like to decode this string:

X-OVH-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfenuceurghilhhouhhtmecufedttdenucgohfhorhgsihguuggvnhfjughrucdlhedttddm

How can I do this?

Answer 1

Starting from lkraider's great Python answer, I improved the accuracy. It turns out that the offset characters (c..g) are alternately appended and prepended. So instead of just checking if one of them is in the pair, it is necessary to differentiate between, e.g., fh and hf, by keeping track of even or odd pairs.

def decode(msg):
    text = ""
    for i in range(0, len(msg), 2):
        # add position as extra parameter
        text += unrot(msg[i: i + 2], i // 2)
    return text


def unrot(pair, pos, key=ord('x')):
    # "even" position => 2nd char is offset
    if pos % 2 == 0:
        # swap letters in pair
        pair = pair[1] + pair[0]
    # treat 1st char as offset
    offset = (ord('g') - ord(pair[0])) * 16
    # map to original character
    return chr(sum(ord(c) for c in pair) - key - offset)

print(decode('gggruggvucftvghtrhho'))

https://gist.github.com/DoubleYouEl/e3de97293ce3d5452b3be7a336a06ad7

Answer 2

Looks to be some obfuscation by rotating chars. I made an attempt at it using Python. It's not perfect but mostly seems to work:

def decode(msg):
    text = []
    for i in range(0, len(msg), 2):
        text.append(unrot(msg[i: i + 2]))
    return str.join('', text)


def unrot(pair, key=ord('x')):
    offset = 0
    for c in 'cdefgh':
        if c in pair:
            offset = (ord('g') - ord(c)) * 16
            break
    return chr(sum(ord(c) for c in pair) - key - offset)


print(decode('gggruggvucftvghtrhho'))

https://gist.github.com/lkraider/9530798a695586fc1580d0728966f6f0

Answer 3

There is a Tor hidden service you can use to decode the tag located at http://6jbnmws2zq2m2fsfmpwnssgsrxovohgggphymkd4df2pgcw7ccrdy6ad.onion

According to it, the X-OVH-SPAMCAUSE you gave translates to this:

Vade Retro 01.394.21 AS+AV+AP+RT Profile: OVH; Bailout: 300; ^ForbiddenHdr (500)

Answer 4

I improved the given Python solutions by Ikraider and DoubleYou and added a JavaScript solution, too.

Python:

def Decode(msg):
    return ''.join([chr(ord(msg[i * 2]) + ord(msg[i * 2 + 1]) - 1768 + ord(msg[i * 2 + 1 - (i & 1)]) * 16) for i in range(len(msg) // 2)])

print(Decode('gggruggvucftvghtrhho'))

JavaScript:

function Decode(msg)
{
    return Array(msg.length >> 1).fill(0).map((_, i) => String.fromCharCode(msg[i * 2].charCodeAt(0) + msg[i * 2 + 1].charCodeAt(0) - 1768 + (msg[i * 2 + 1 - (i & 1)].charCodeAt(0) << 4))).join('');
}

console.log(Decode('gggruggvucftvghtrhho'));