Getting email .. nyuck nyuck nyuck



  • I have an email account at one of my clients (ClientCo), and last week they had their external IT company (ITCorp) in doing some work on the overall email system. Not being a ClientCo employee I missed the company wide email that foretold of the email and VPN system being down for about 10 minutes at 9AM on Tuesday morning.

    10 AM Tuesday About an hour after the email went down I call a contact in ClientCo to find out what is going on. Larry is nominally point man for such issues within the company but doesn't admin the email system. However that day he was a bit pissed as ITCorp hadn't kept him in the loop as to what was going on. Oh well, so its a game of wait and see when the email comes up.


    1PM Tuesday The system is back up! I want to get at some files via the VPN and attempt to open it as per previous usage. Hmmm .. the login I normally use now is rejecting me. A quick call to Larry determines that they have changed the VPN login methodology. Previously there was 1 login account for everyone who wanted to access the VPN. Then after you were in you could attach drives etc using your company account credentials. I always though that this was pretty bad, but I was happy to find that you now needed to use your company credentials to get in via the VPN. Thats a step up. Pity Larry couldn't have told me before hand what was going on.


    Other work that ITCorp had done involved installing an email quarantine system from QCo. I at least had some warning about this as I started getting emails from the QCo system saying that I had items in quarantine. I ignored these initial emails as I had never previously had a spam problem with this account, and the so called spam's reported "From:" address seemed to be unintelligible gibberish. I put that down to the system not being fully implemented yet


    7AM Friday I finally get a genuine "blocked" email from a colleague. So I go use the QCo link.


    Unfortunately it doesn't work.


    I use Outlook Web Access (OWA) to read email at my ClientCo account, and the links to the QCo system were pre-pended with an Outlook redirection script "redir.asp". This script looks like it is meant to open a new browser window pointing to the actual URL which follows the "?". The actual QCo link points via https to a "enduser.php" script on some other server, and passes to that script something that identifies who I am . So I click on the overall Outlook script link and instantly get an HTTP 500 error for the "redir.asp" file. No biggy, I'll just carve the OWA stuff off the front of the link and open the "enduser.php" link directly and be on my way. Well I do that and when the new window pops up I get presented with a login page at the QCo quarantine system. But no matter what I try with account or password combinations I just can't seem to get past this login.

    11AM Friday I call Larry at ClientCo, explain my problem and he says he'll call the ITCorp people and they'll call me.


    1PM Friday I get a call from Moe, one of the ITCorp guys. I describe what was happening and Moe keeps saying things like "That shouldn't happen". Eventually he asks me to send him the email with the links in it. When he receives the email, he says "I can see the problem, I'll call you back when I fix it".


    5PM Friday I get an email from Moe saying that he is still working on it.


    9AM Monday I send Moe an email asking the current status.


    11AM Monday Moe replies is that he is still working on it.


    9:00 AM Tuesday Moe emails me and says it is fixed. He also says that he released the email that I have had quarantined since last Thursday, and told me that if I get a new quarantined email then I will get an update email the following hour.


    9:30 AM Tuesday I email Moe to ask if he can send an email to prove that the system is fixed. I immediately get an email from him that contains no body and no attachments. So much for proving the new quarantine system works, let alone the minor detail that we had been conversing via the email system in general all morning.


    10AM Tuesday I mail back to myself from my home account the original zip file that had previously been blocked. It arrives without being quarantined. Hmmm .. Is that supposed to happen? So I send an email to Moe asking about this behaviour.


    1PM Tuesday I get a call from another ITCorp person, Curly - Funny that Moe never responded to my email. Curly tells me that QCo is a white-list system, and that it is not the contents that are blocked, rather the email addresses. So I call up the person who originally sent me the email and leave a voicemail telling them how bad their email address is and I ask for them to resend that email.


    7AM Wednesday I receive the QCo quarantine summary saying that the email has been blocked as potential spam. So click on the Outlook link and experience exactly the same behavior as last Friday. Bypassing the HTTP 500 error, the QCo system also gives me the same behaviour.


    10AM Wednesday I call Curly back and tell him that the system isn't fixed. I (once again) send him the email with the link in it.


    11AM Wednesday. Curl calls back and wants to remote access into my PC and see for himself what happens. I am not too happy about this but I can understand where he is coming from. So I give him access, and Curly pokes around trying to open the link in IE, then Firefox, and finally he spots Safari and goes for that. All the time getting the same HTTP 500 error from the OWA "redir.asp", and then when that part was carved out, getting the login dialog page from the QCo system. This takes a good hour of poking and prodding at the same thing over and over in my computer. At times he also puts me on hold and goes away to consult with other people and then comes back to try the same things over and over again. Eventually he says he will call me back. By now I am getting pissed as while he is doing all the poking I can't use my main PC and I also wanted to be working on the contents of the actual email that had been blocked.


    1PM Wednesday Curly calls back, and this time he says that he has QCo people on the other phone. Curly wants remote access to my computer again. This time as he is poking through all of the same stuff I hear Curly telling someone else in his office what his findings are, and I hear that other person parroting what Curly said. I assume that the 2nd person I hear is actually relaying Curly's comments to the QCo personnel. This session is just like the last one; repeating all of the same pointing and clicking and getting the same HTTP 500 error and eventually the same login page. However finally there is a breakthrough! I see Curly manually constructing a link in my browser's address bar, and it works!!!!! Oh joy oh joy. I will finally be able to get access to my quarantined emails! Curly finishes off by saving this special handcrafted link to my bookmarks. He then tells me that they are not sure how to fix the problem, but at least with this special link I can get through to the correct area and control my emails.


    9 AM Thursday. After calming down from yesterdays experiences I decide to look over the solution that was provided to me. I take a careful look at the QCo link that fails, and then at the handcrafted link that works. Then I do a quick google search to verify some ideas (as HTTP is not my forte but I had an idea as to what I was looking for).


    9:05 AM Thursday. Yep, there it is. The difference between the QCo link that failed and the one that works is a single character.

    "%26" vs "&"


    Thats it. Somewhere along the way some system failed to do a URI decode and it took these ITCorp luminaries almost 4 days to hand craft a link in the required format rather than actually fixing the problem.

    The symptom I was seeing with the "enduser.php" login page (that "you should never see"), was that two fields were being lumped together and presented to "enduser.php" as my account number. This script said ".. there ain't no-one registered with that account" and then rightfully asked me for my correct account details.


    9:30AM Thursday. I send a very polite email to Curly pointing out what I found and that either they should slap a URI decode in their "enduser.php" script or check out whether the HTTP 500 "redir.asp" page is meant to do the decode for them.

    For some reason I haven't heard back form Curly yet.



  • Another good post.  Got a couple of winning OPs today.



  • @OzPeter said:


    9:30AM Thursday. I send a very polite email to Curly pointing out what I found and that either they should slap a URI decode in their "enduser.php" script or check out whether the HTTP 500 "redir.asp" page is meant to do the decode for them.

    For some reason I haven't heard back form Curly yet.

    Assuming it's the standard Outlook Web Access redir.asp, then it's supposed to do the URI decode before redirecting.



  • @OzPeter said:

    Thats it. Somewhere along the way some system failed to do a URI decode and it took these ITCorp luminaries almost 4 days to hand craft a link in the required format rather than actually fixing the problem.

    That would be because you bypassed the part of the system that was supposed to do the decoding.

    You see, in the URL encoding scheme used for web forms, there is a difference between & and %26.  Only the former acts as a field separator, the latter can be used to encode a literal & in a field value.  So if the original link was [i]http://someserver/redir.asp?target=http://otherserver/enduser.asp?account=12345%26detail=999[/i], the redir.asp script is supposed to decode the value of the [i]target[/i] field before redirection.  However, by manually removing the redir.asp part, you arrived at [i]http://otherserver/enduser.asp?account=12345%26detail=999[/i], which indeed only has a single field in the query (field [i]account[/i] with value [i]12345&detail=999[/i]).


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.