I attempted to register an account for the Nokia support web site so that I could find information regarding the numerous security vulnerabilities in their products. During the registration process, it wasn't entirely clear if they would grant access to someone that didn't have a support contract in place, so I attempted to register anyway. As with all web sites, when I provide an e-mail address I use a plus sign and some word to identify the site. This lets me easily filter incoming mail and also tells me where mail originated from. If I receive viagra spam to jericho+legitcompany then I know they sold my email address to spammers. I didn't keep the very first mail or so, but the first two below and the quoted material make it fairly easy to pick up on what happened. For more information on email addresses, plus signs and sites that are not RFC compliant, check out the Websites and their fear of + page I created a while back.
From: ES.Service@nokia.com To: jericho@attrition.org Date: Mon, 16 Aug 2004 05:58:32 -0500 Subject: RE: Nokia Online Account Registration Rejected Jonathan, Our online Service is for exisiting customers to get updates to support their products. We process registrations for customers who have purchased support agreements for their Nokia products. Our validation for online services, requires that we match the company, and domain name of the user to the company profile records on hand. We do have some customers who have chosen industry words as domain names, and they are provided the access they require. On occasion we refuse valid customers, when we have not gotten complete information for their company. If you have a service agreement, please provide the serial number of the supported product, and I will process your registration for you. Regards, Jill Nokia ES Service Administration -----Original Message----- From: ext security curmudgeon [mailto:jericho@attrition.org] Sent: Friday, August 13, 2004 6:40 PM To: ES Service-CSA (RES/Ottawa) Cc: nokia@attrition.org Subject: Re: Nokia Online Account Registration Rejected : Dear Mr Jonathan Doe : : Due to a problem in the registration details you submitted, we regret to : inform you that we were unable to register you with a Nokia Online User : Account. : : We cannot process your request at this time. The email address : (domain) provided in your registration does not seem to match the : company name. This is not allowed by Nokia Enterprise Solutions. : Please provide your company email address and we will complete the : registration. So because a domain doesn't match a company name, you reject it? I pity the companies who register a domain name based on a word in the industry rather than their own name. It's ok though, I don't think we want to purchase products from a company that refuses to follow RFC guidelines and break away from the standards that keep our net running. If Nokia can't even program simple web applications to allow valid e-mail addresses, how are we to believe that any of your other products will function properly? So please, read and understand RFC 822 before writing any more web applications. It will allow your potential customers to take you more seriously.
From: security curmudgeon (jericho@attrition.org) To: ES.Service@nokia.com Date: Mon, 16 Aug 2004 07:07:49 -0400 (EDT) Subject: RE: Nokia Online Account Registration Rejected : Our online Service is for exisiting customers to get updates to support : their products. : : We process registrations for customers who have purchased support : agreements for their Nokia products. Our validation for online : services, requires that we match the company, and domain name of the : user to the company profile records on hand. We do have some customers : who have chosen industry words as domain names, and they are provided : the access they require. : : On occasion we refuse valid customers, when we have not gotten complete : information for their company. If you have a service agreement, please : provide the serial number of the supported product, and I will process : your registration for you. Hi Jill, Does Nokia plan to modify their web site to conform to RFC standards (822 specifically) with regards to accepting valid e-mail addresses? Jonathan
From: ES.Service@nokia.com To: jericho@attrition.org Date: Mon, 16 Aug 2004 06:52:45 -0500 Subject: RE: Nokia Online Account Registration Rejected Jonathan, The system does accept valid email addresses. All registration information is processed manually, and the response you did receive, was from a Customer Service Representative who was trying to search for an agreement that matched your company name, and was unsuccessful. On occasion, we have users who do not have emails that match the company name, so we search on the email domain to see if it is permitted (or covered) under another company's service agreement. If you have a support agreement, please provide the serial number of the supported product, and I will process your registration. Regards, Jill Nokia ES Service Administration
From: security curmudgeon (jericho@attrition.org) To: ES.Service@nokia.com Date: Mon, 16 Aug 2004 08:06:34 -0400 (EDT) Subject: RE: Nokia Online Account Registration Rejected : Jonathan, : : The system does accept valid email addresses. Incorrect. Your system rejected my valid email address. After that I entered a 2nd one specifically for the signup process. It is discouraging to see a company such as Nokia not only disregard RFC 822, but to turn around and tell me that I am hallucinating and my valid email address was accepted, when it wasn't. =( Jonathan
From: ES.Service@nokia.com To: jericho@attrition.org Date: Mon, 16 Aug 2004 07:15:14 -0500 Subject: RE: Nokia Online Account Registration Rejected Jonathan, Please provide the site that rejected your valid email address, and if possible a screen shot of the error. We have been advised that our Enterprise Solutions registration process will accept all email addresses, for the very reason that we manually process each applicant. I am interested in investigating this issue, so that I can escalate it to our web development team. Regards, Jill Nokia ES Service Administration
From: security curmudgeon (jericho@attrition.org) To: ES.Service@nokia.com Date: Mon, 16 Aug 2004 08:53:13 -0400 (EDT) Subject: RE: Nokia Online Account Registration Rejected : Please provide the site that rejected your valid email address, and if : possible a screen shot of the error. We have been advised that our : Enterprise Solutions registration process will accept all email : addresses, for the very reason that we manually process each applicant. : : I am interested in investigating this issue, so that I can escalate it : to our web development team. Instead of me going through all that effort, attempt to sign up for an account and provide the following email address: jericho+toldyaso@attrition.org If it rejects your address, you will see exactly what I am talking about. If I receive mail, then my initial attempt was an intermitant error that can't easily be explained. And please, be honest! Don't change your back end code to allow the dreaded '+' sign after hours of testing, then tell me I was wrong. I've had enough sites tell me that before. Jonathan
From: security curmudgeon (jericho@attrition.org) To: ES.Service@nokia.com Date: Mon, 11 Oct 2004 07:11:35 -0400 (EDT) Subject: RE: Nokia Online Account Registration Rejected So.. almost a month has passed with no reply. I take it to mean you followed my advice, saw that your system does indeed reject valid email addresses (I never received mail to the address I suggested), and you have been busy working for the last 3 weeks on a fix to your non-standard system?