A Proofpoint URL takes the format of the following:
urldefense.proofpoint.com/v2/url?[params]
where [params] consists of the following:
c := constant (per organization)
d := constant (per organization)
e := always empty?
m := ?
r := unique identifier tied to email address
s := ?
u := safe-encoded URL
m might be a hash of the original URL or some metadata
s might be a signature or checksum
Disturbingly, each URL contains a unique identifier that's tied to the individual's email address, letting the organization (that hosts the email) and Proofpoint logs when a particular user clicks on a URL and quite possibly crawl the target content.
It would be nice to understand what each parameter does and how it's encoded (or, if possible, how to decode it).
A Proofpoint URL takes the format of the following:
urldefense.proofpoint.com/v2/url?[params]where
[params]consists of the following:c:= constant (per organization)d:= constant (per organization)e:= always empty?m:= ?r:= unique identifier tied to email addresss:= ?u:= safe-encoded URLmmight be a hash of the original URL or some metadatasmight be a signature or checksumDisturbingly, each URL contains a unique identifier that's tied to the individual's email address, letting the organization (that hosts the email) and Proofpoint logs when a particular user clicks on a URL and quite possibly crawl the target content.
It would be nice to understand what each parameter does and how it's encoded (or, if possible, how to decode it).