webmail redirection?
I'm working on a computer that would normally access centurylink webmail.
The "normal" address comes up as:
https://webmail.centurylink.net/mail#1
Ths address above is in a Google Chrome bookmark; so that's the initial address.
The target moves through a few addresses and the "abnormal" address comes up as:
http://mail.centurylink.net/zimbra/h/search?mesg=welcome&init=true
In getting there, it moves through:
https://auth.centurylink.net/saml/module.php/ppp/restart.php?AuthState=no_cookie#1
and,
https://auth.centurylink.net/saml/module.php/authbypass/firstbookend.php?AuthState=_cd81d2fbcd6a8753d13bb3e46d924505213693dc4e%3Ahttps%3A%2F%2Fauth.centurylink.net%2Fsaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fcenturylink.net%252Fsaml%252Fmodule.php%252Fsaml%252Fsp%252Fmetadata.php%252FClient%252FLibrary%252FSaml%252Fsaml-sp%26cookieTime%3D1507237017%26RelayState%3Dhttp%253A%252F%252Fcenturylink.net%252F%253Ffrom%253Demail%26isPassive%3D1&id=203bd8ae08&coeff=0&history=3#1
which I can't read...
The *very* strange thing about this is that I tried accessing the client's webmail from one of my own computers and got the same thing yesterday.
CenturyTel claims to have fixed an issue and now I get the correct web page on my computer.
However, the client (who is some 50 miles away from my office), is getting these redirects on all browsers.
With some fiddling, (like removing histories, etc.) I've been able to get the correct page on the client's computer. But this seems short-lived. Now IE, Google Chrome and Firefox are all doing what I've described above on his computer.
No scans with HitManPro, Roguekiller, HijackThis!, Malwarebytes show up anything that looks at all interesting. Nothing found in the registry to the extent I even know what to look for.
I'm beginning to think that CenturyTel has a hijacked copy of their website that may depend on from where one reaches out.
But that's perhaps a stretch. My experience in cleaning up computers is extensive but not infallible of course.
I even set up a Thunderbird POP client and all looks fine there.
Oh yes, the "bad" site looks OK. The client can log in and send mail just fine. However, no mail shows up after Sept 30th while there *is* plenty of mail on the server thereafter. It's just not evident on the "bad" site.....
The "normal" address comes up as:
https://webmail.centurylink.net/mail#1
Ths address above is in a Google Chrome bookmark; so that's the initial address.
The target moves through a few addresses and the "abnormal" address comes up as:
http://mail.centurylink.net/zimbra/h/search?mesg=welcome&init=true
In getting there, it moves through:
https://auth.centurylink.net/saml/module.php/ppp/restart.php?AuthState=no_cookie#1
and,
https://auth.centurylink.net/saml/module.php/authbypass/firstbookend.php?AuthState=_cd81d2fbcd6a8753d13bb3e46d924505213693dc4e%3Ahttps%3A%2F%2Fauth.centurylink.net%2Fsaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fcenturylink.net%252Fsaml%252Fmodule.php%252Fsaml%252Fsp%252Fmetadata.php%252FClient%252FLibrary%252FSaml%252Fsaml-sp%26cookieTime%3D1507237017%26RelayState%3Dhttp%253A%252F%252Fcenturylink.net%252F%253Ffrom%253Demail%26isPassive%3D1&id=203bd8ae08&coeff=0&history=3#1
which I can't read...
The *very* strange thing about this is that I tried accessing the client's webmail from one of my own computers and got the same thing yesterday.
CenturyTel claims to have fixed an issue and now I get the correct web page on my computer.
However, the client (who is some 50 miles away from my office), is getting these redirects on all browsers.
With some fiddling, (like removing histories, etc.) I've been able to get the correct page on the client's computer. But this seems short-lived. Now IE, Google Chrome and Firefox are all doing what I've described above on his computer.
No scans with HitManPro, Roguekiller, HijackThis!, Malwarebytes show up anything that looks at all interesting. Nothing found in the registry to the extent I even know what to look for.
I'm beginning to think that CenturyTel has a hijacked copy of their website that may depend on from where one reaches out.
But that's perhaps a stretch. My experience in cleaning up computers is extensive but not infallible of course.
I even set up a Thunderbird POP client and all looks fine there.
Oh yes, the "bad" site looks OK. The client can log in and send mail just fine. However, no mail shows up after Sept 30th while there *is* plenty of mail on the server thereafter. It's just not evident on the "bad" site.....
ASKER
Dave Baldwin: Thanks! I've looked just a bit at zimbra the service and don't understand much about it yet. It doesn't seem to fit in the context of what's going on here.
When this works right, there is no redirection that I can notice.
When this doesn't work right, there is the redirection that I documented.
Either the redirection is normal or it isn't.
I have no idea how to tell except for the more recent emails being missing.
If the starting address is the same then how does the redirection get triggered?
I am very reluctant to suggest that Centurylink is messed up. But such things are also not unknown.
Maybe they've played with using zimbra and shut it off or lost connection or ..... ?
How might one address this?
I would hate to find that there's a redirection bug in this one computer but this begs the question: "why does this one computer get affected by this?" is it geography perhaps? Or am I missing finding a redirect parasite on this computer?
When this works right, there is no redirection that I can notice.
When this doesn't work right, there is the redirection that I documented.
Either the redirection is normal or it isn't.
I have no idea how to tell except for the more recent emails being missing.
If the starting address is the same then how does the redirection get triggered?
I am very reluctant to suggest that Centurylink is messed up. But such things are also not unknown.
Maybe they've played with using zimbra and shut it off or lost connection or ..... ?
How might one address this?
I would hate to find that there's a redirection bug in this one computer but this begs the question: "why does this one computer get affected by this?" is it geography perhaps? Or am I missing finding a redirect parasite on this computer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dave: Thanks for the detailed explanation! So, in this case, the mail service and the ISP are one and the same - and it does appear to be network related to me and based on what you've said. The one thing I couldn't be sure of is where those redirects were coming from: internal to the computer or external in the network.
The antivirus that's running on this computer is a combination that we've been using across many, many computers:
Windows Defender
Malwarebytes (paid version)
Windows firewall.
This combination seems to work well and not cause many problems. It's a little hard to figure how it could change the browser URL path....
But, it does start https and ends up http in the anomalous case.
The antivirus that's running on this computer is a combination that we've been using across many, many computers:
Windows Defender
Malwarebytes (paid version)
Windows firewall.
This combination seems to work well and not cause many problems. It's a little hard to figure how it could change the browser URL path....
But, it does start https and ends up http in the anomalous case.
The way that 'redirects' work is that the server sends a 'Location' header to the browser that tells it to go to another page. With each redirect, there is another chance for some kind of error.
I'm surprised that you end up on an 'http' page instead of 'https'. Is the problem computer updated? Newer than Windows XP or Vista? Browsers on older systems aren't updated to handle all of the current SSL/TLS protocols.
I'm surprised that you end up on an 'http' page instead of 'https'. Is the problem computer updated? Newer than Windows XP or Vista? Browsers on older systems aren't updated to handle all of the current SSL/TLS protocols.
ASKER
OK. Thanks again.... Is there a way to step through the redirects. The way I did it was clumsy at best. It would be great to know if the redirects were external (from a server) or internal (from a parasite).
Is there a way to step through the redirects.No. Each one runs some code and then does the next redirect until you get to the final page. I use an add-on in Firefox that captures the headers which will show the different URLs. If you are expecting to see some page content, there probably won't be any until the final page is reached. I doubt that it is 'internal'.
I believe that that computer or network is just not handling something properly. The best way to test is to take the computer to another place with another network and see how it performs. Web mail does not normally require you to be on the same ISPs network for it to work.
ASKER
Thanks Dave!
You're welcome!
ASKER
What's the Firefox add-on?
The Firefox add-on is Live HTTP Headers https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
https://www.zimbra.com/