I received an email message from someone that contained an attachment that had a .eml filename extension. When I viewed that file, I found the usual email header fields, i.e., "from", "to", "cc", and "subject", but for the body of the message I saw the following:
Content-Type: multipart/alternative; boundary="_000_22D42B1E120C59488B6A96BA13E639711E185536NDMSMBX403ndcna_" MIME-Version: 1.0 --_000_22D42B1E120C59488B6A96BA13E639711E185536NDMSMBX403ndcna_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QXMgZmFyIGFzIG15IGxpbWl0ZWQgdW5kZXJzdGFuZGluZyBvZiB0aGUgbWFpbCBzZXJ2ZXJzIGdv <text snipped> YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_22D42B1E120C59488B6A96BA13E639711E185536NDMSMBX403ndcna_--
I needed to decode the base64 encoded text. Fortunately, Python has a base64 module that can be used for that purpose. So I created the following Python script to decode the encoded portion of the .eml file. The script expects the name of the input file to be provided on the command line and will print an error message and terminate if the file name isn't provided. If the filename is provided, the script will read the file line by line looking for the "Content-Transfer-Encoding: base64" which indicates that after one following blank line the encoded text will commence. The output will be displayed on the screen but can be redirected to a file.
#!/usr/bin/python import base64, sys try: sys.argv[1] except IndexError: print "Error - missing input file name! Usage", sys.argv[0], "infile" sys.exit(1) else: fileName = sys.argv[1] base64_marker = "Content-Transfer-Encoding: base64" block_of_lines = "" with open(fileName) as input_data: # Skips text before the beginning of the base64 encoded block: for line in input_data: if line.strip() == 'Content-Transfer-Encoding: base64': break for line in input_data: # Skip blank line break # Reads text until the end of the block: for line in input_data: # Append lines to block_of_lines block_of_lines = block_of_lines + line print base64.b64decode(block_of_lines)