Decrypting usenet headers, part 2
#1
So the troll/spammer has changed to Google Groups and is using a VPN for the IP, but all posts have a "posting-account" header, which is encoded, and I was wondering if anyone of you guys could see what kind of format it is and how to possibly decode it?

Here are some examples:
  • VaXkVAoAAADbkEFbLXXJcNV34P1KTZKR
  • Vm0uAgoAAABvTYeieyl4GElbOkHDqJYr
  • v_2vHwoAAACkQKbseN841UEbqgaDTAQd

All seem to have a "AAA" part in them that feels like it is significant.
#2
I'm not familiar with that specific header, but - just speculating - it looks like a proprietary encoding/encryption scheme. When specific ecosystems (like Google) insert such public headers for their own private use, it's likely that part of the scheme includes a private component that only they know.

Regardless, hashcat does not support attacking this header.
~