Spoiler-free hint sequence. (Mods: if this is too spoilery, feel free to delete, but please let me know which part is spoilery so I can post a corrected version. I'm posting it here so people have some help working through the challenge on their own rather than downloading a solution like a script kiddie - because it's just too easy and tempting to take that shortcut on this particular challenge.)
1. There's a free program currently released by Oracle Corp. (bastards) that can help you with this mission. Either that, or you can use the expensive program sold by their competitor (even bigger bastards, though YMMV). Hint: in the Windows and (I think) Mac versions, both programs have green icons. Hell, I think some other people posted the name of the expensive program already. I used the free one, and it worked like a charm.
2. Google XEcryption. Learn how it works.
3. Copy the encrypted file into your favourite text editor, and turn it into a CSV (google CSVs). The method for doing this should be stupidly obvious.
4. Your CSV now has the wrong number of columns. From what you know about XEcryption, how many columns should it have so that each row corresponds to one letter? Rearrange the line breaks so it has the right number of columns. (Search and Replace can make your life a bit easier here, but this is still the most mind-numbingly boring part of the procedure unless you are using emacs or some similarly high-octane editor.)
5. Now you can load your CSV into the Oracle Program (or equivalent) and get a nice table of numbers. The next step is to turn each row of numbers into 1 number. Knowing what we know about XEcryption and the Oracle Program, how do we do this? (Hint: you don't have to be a hacker to know about that function - even accountants know about it.)
6. We now have a nice column of numbers, each corresponding to a single letter or other character (remember that e-mails usually include spaces and line breaks). The usual way to crack an encrypted message like this is to figure out what the most common character is. Which number appears the most times in your series? Remember that number. (You can use the Oracle Program to help you find it and record it.)
7. Our next task is to figure out which character that number corresponds to. According to XEcryption, each number in our column is equal to the sum of two numbers: one is the password-sum, and the other is a number corresponding to a single character in the e-mail. If we can figure out which character our magic number corresponds to, we can retrieve the password-sum without knowing the password, and decode the whole message!
8. But before that, we need to figure out which character our magic number represents. Forget about the password-sum for a moment: what is the code that is used in XEcryption to convert numbers into characters and vice versa? (Hint: it's an American code.) Learn about that code, if you don't already know, and Google up a table which shows it. Some of these tables have 2 pages; you want page 1, since page 2 has gibberish characters and no letters, numbers or other stuff which usually appears in an e-mail. Notice that the numbers which correspond to letters, spaces, etc. are within a certain range.
9. Next question to ask yourself: what are the most common characters in the e-mail likely to be? Find them in the table you Googled up, and then find their corresponding code numbers in the same table. (I used three different common characters for my attempt. Note that characters are not necessarily alphanumeric!)
10. Now we can try to guess the password-sum. But here's an additional step that will help you to guess it: find the largest and smallest numbers in your list of encrypted numbers (in the Oracle Program).
11. At this point we have: the largest and smallest numbers in our list of encrypted numbers, the most common number in our list of encrypted numbers, and the numbers corresponding to the 3 most common characters which would likely appear in the message. Now let's try to guess the password-sum. Bearing in mind the way that XEcryption works, there are 3 possible candidates for our password-sum (possibly more or less, if you decided to use more or less than 3 common characters). Figure out what they are.
12. For each of these candidate numbers, try and figure out what characters the largest and smallest numbers would correspond to if that candidate really was the password-sum. Are the characters even in that table you Googled up? After this step, I was left with only one candidate - in other words I knew the password-sum. The other ones simply didn't make sense.
(If none of your candidate numbers make sense, the most likely explanation is that you failed to guess what the most common character in the e-mail was. Try again - it's not that hard to guess.)
13. Now you can use the Oracle Program to figure out the actual numbers. The procedure is not too different from what you did in step 5. The next thing is to turn this column of numbers into letters. We could do this manually, but that would take ages, so:
14. The Oracle Program has a function that can help us here. Think about this for a moment: there is another number format which is also listed on the table you Googled up. Use the Oracle Program to convert the numbers to that format, because it's pretty easy to find a converter that will convert the numbers from that format into characters - the text of the (previously) encrypted e-mail.
15. Google up a converter that will do the grunt work for you - after all, you don't want to manually decode 600+ numbers by staring at a table. Copy the numbers from the Oracle Program and paste them into the converter.
16. Voila, you have the e-mail... but wait, something's not right. There are a couple of garbage characters in there, because the converter isn't perfect (or your computer's OS isn't perfect). What could those characters be? Well, taking into account the position of those characters in the e-mail, they must correspond to a very specific sort of character. Remember that most of the keys you use when typing on your keyboard - not just the letters, numbers and punctuation - each correspond to a character, and replace those garbage characters with the ones which should go there.
17. Use the HTS message system to send the now-corrected e-mail to our friend ToxiCo_Watch, and that's all she wrote.
Hope those of you who are having trouble find this helpful.