Parsing the POP3 UIDL History


In my previous post, we discussed how to locate Outlook’s POP3 UIDL history. Now that we have the blob, let’s look at how to parse it:

POPBlob Structure:

  • Version (2 bytes): Must be PBLOB_VERSION_NUM (3)
  • Count (2 bytes): Count of resource tags
  • Resource tags (variable): 0 or more null terminated UTF-8 strings encoding the resource tags. The number of null terminated strings must match Count.

Resource Tags:

A resource tag encodes a UID with some metadata. The format of a resource tag string is represented as follows:

Mcyyyymmddhhmmssuuuuuuuuuuuuuuuuuu…

where

  • M (1 char): ‘+’, ‘-‘, or ‘&’, indicating a successful get, delete, or get-and-delete
  • c (1 char): ‘ ‘, ‘h’, or ‘b’, indicating content of none, header, body
  • yyyy (4 chars: Four digit year of download
  • mm (2 chars): Two digit month of download
  • dd (2 chars): Two digit day of download
  • hh (2 chars): Two digit hour of download
  • mm (2 chars): Two digit minute of download
  • ss (2 chars): Two digit second of download
  • uuuu… (variable): Encoded uid (Unique Identifier) of a message

The encoded uid of the message has been escaped so only alphanumeric characters and the character ‘$’ are present. Non-alphanumeric characters in the original UID are represented as ‘$’+ 2 digit hex encoding. For instance, the character ‘-‘ is encoded in the UID as $2d

For example, this blob:

030017002B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 
2B623230313230393036313331313337313433444242434224326445413636243264313145312432644135463224326430303232363443313534424100 
2B623230313230393036313331313339323445383833333324326445413334243264313145312432644133414324326430303231354144374631353600 
2B623230313230393036313331313336333446324533383124326445423236243264313145312432644244353924326430303231354144383043324300 
2B623230313230393036313331313339333733443545363924326445413236243264313145312432644231363024326430303231354144393946303000 
... 

Can be interpreted as follows:

0300 Version: PBLOB_VERSION_NUM 
1700 Count: Count of restags (0x17 = 23) 
2B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 Tag 1 
2B623230313230393036313331313337313433444242434224326445413636243264313145312432644135463224326430303232363443313534424100 Tag 2 
2B623230313230393036313331313339323445383833333324326445413334243264313145312432644133414324326430303231354144374631353600 Tag 3 
2B623230313230393036313331313336333446324533383124326445423236243264313145312432644244353924326430303231354144383043324300 Tag 4 
2B623230313230393036313331313339333733443545363924326445413236243264313145312432644231363024326430303231354144393946303000 Tag 5 
...

And we can parse one of the resource tags as follows:

2B623230313230393036313331313338304243353335444224326445413633243264313145312432644137354324326430303231354144374242373400 = 
"+b201209061311380BC535DB$2dEA63$2d11E1$2dA75C$2d00215AD7BB74" 
+ = Successful get 
b = Content is body 
2012 = Year 
09 = Month 
06 = Day 
13 = Hour 
11 = Minute 
38 = Second 
0BC535DB$2dEA63$2d11E1$2dA75C$2d00215AD7BB74 = UID

This UID can then be interpreted as:

0BC535DB + $2d + EA63 + $2d + 11E1 + $2d + A75C + $2d + 00215AD7BB74 = 
0BC535DB + '-' + EA63 + '-' + 11E1 + '-' + A75C + '-' + 00215AD7BB74 = 
0BC535DB-EA63-11E1-A75C-00215AD7BB74


So the first UID encoded in this blob is "0BC535DB-EA63-11E1-A75C-00215AD7BB74", and the body was successfully retrieved on 9/6/2012 at 13:11:38.

Comments (0)

Skip to main content