I attempted to register an account for the Nokia support web site so that I could find information regarding the numerous security vulnerabilities in their products. During the registration process, it wasn't entirely clear if they would grant access to someone that didn't have a support contract in place, so I attempted to register anyway. As with all web sites, when I provide an e-mail address I use a plus sign and some word to identify the site. This lets me easily filter incoming mail and also tells me where mail originated from. If I receive viagra spam to jericho+legitcompany then I know they sold my email address to spammers. I didn't keep the very first mail or so, but the first two below and the quoted material make it fairly easy to pick up on what happened. For more information on email addresses, plus signs and sites that are not RFC compliant, check out the Websites and their fear of + page I created a while back.

From: ES.Service@nokia.com
To: jericho@attrition.org
Date: Mon, 16 Aug 2004 05:58:32 -0500
Subject: RE: Nokia Online Account Registration Rejected

Jonathan,

Our online Service is for exisiting customers to get updates to 
support their products.  

We process registrations for customers who have purchased support 
agreements for their Nokia products.  Our validation for online 
services, requires that we match the company, and domain name of 
the user to the company profile records on hand.  We do have some 
customers who have chosen industry words as domain names, and 
they are provided the access they require.  

On occasion we refuse valid customers, when we have not gotten 
complete information for their company.  If you have a service 
agreement, please provide the serial number of the supported 
product, and I will process your registration for you.

Regards,

Jill
Nokia ES Service Administration


-----Original Message-----
From: ext security curmudgeon [mailto:jericho@attrition.org]
Sent: Friday, August 13, 2004 6:40 PM
To: ES Service-CSA (RES/Ottawa)
Cc: nokia@attrition.org
Subject: Re: Nokia Online Account Registration Rejected

: Dear Mr Jonathan Doe
:
: Due to a problem in the registration details you submitted, we regret to
: inform you that we were unable to register you with a Nokia Online User
: Account.
:
:  We cannot process your request at this time.  The email address
: (domain) provided in your registration does not seem to match the
: company name.  This is not allowed by Nokia Enterprise Solutions.
: Please provide your company email address and we will complete the
: registration.

So because a domain doesn't match a company name, you reject it? I pity
the companies who register a domain name based on a word in the industry
rather than their own name.

It's ok though, I don't think we want to purchase products from a company
that refuses to follow RFC guidelines and break away from the standards
that keep our net running. If Nokia can't even program simple web
applications to allow valid e-mail addresses, how are we to believe that
any of your other products will function properly?

So please, read and understand RFC 822 before writing any more web
applications. It will allow your potential customers to take you more
seriously.


From: security curmudgeon (jericho@attrition.org)
To: ES.Service@nokia.com
Date: Mon, 16 Aug 2004 07:07:49 -0400 (EDT)
Subject: RE: Nokia Online Account Registration Rejected

: Our online Service is for exisiting customers to get updates to support
: their products.
:
: We process registrations for customers who have purchased support
: agreements for their Nokia products.  Our validation for online
: services, requires that we match the company, and domain name of the
: user to the company profile records on hand.  We do have some customers
: who have chosen industry words as domain names, and they are provided
: the access they require.
:
: On occasion we refuse valid customers, when we have not gotten complete
: information for their company.  If you have a service agreement, please
: provide the serial number of the supported product, and I will process
: your registration for you.

Hi Jill,

Does Nokia plan to modify their web site to conform to RFC standards (822
specifically) with regards to accepting valid e-mail addresses?

Jonathan


From: ES.Service@nokia.com
To: jericho@attrition.org
Date: Mon, 16 Aug 2004 06:52:45 -0500
Subject: RE: Nokia Online Account Registration Rejected

Jonathan,

The system does accept valid email addresses.  

All registration information is processed manually, and the response 
you did receive, was from a Customer Service Representative who was 
trying to search for an agreement that matched your company name, 
and was unsuccessful.  On occasion, we have users who do not have 
emails that match the company name, so we search on the email domain 
to see if it is permitted (or covered) under another company's 
service agreement.

If you have a support agreement, please provide the serial number of 
the supported product, and I will process your registration.

Regards,

Jill
Nokia ES Service Administration


From: security curmudgeon (jericho@attrition.org)
To: ES.Service@nokia.com
Date: Mon, 16 Aug 2004 08:06:34 -0400 (EDT)
Subject: RE: Nokia Online Account Registration Rejected

: Jonathan,
:
: The system does accept valid email addresses.

Incorrect. Your system rejected my valid email address. After that I
entered a 2nd one specifically for the signup process.

It is discouraging to see a company such as Nokia not only disregard RFC
822, but to turn around and tell me that I am hallucinating and my valid
email address was accepted, when it wasn't. =(

Jonathan


From: ES.Service@nokia.com
To: jericho@attrition.org
Date: Mon, 16 Aug 2004 07:15:14 -0500
Subject: RE: Nokia Online Account Registration Rejected

Jonathan,

Please provide the site that rejected your valid email address, and if 
possible a screen shot of the error.  We have been advised that our Enterprise 
Solutions registration process will accept all email addresses, for the very
reason that we manually process each applicant.

I am interested in investigating this issue, so that I can escalate it to 
our web development team.

Regards,

Jill
Nokia ES Service Administration


From: security curmudgeon (jericho@attrition.org)
To: ES.Service@nokia.com
Date: Mon, 16 Aug 2004 08:53:13 -0400 (EDT)
Subject: RE: Nokia Online Account Registration Rejected

: Please provide the site that rejected your valid email address, and if
: possible a screen shot of the error.  We have been advised that our
: Enterprise Solutions registration process will accept all email
: addresses, for the very reason that we manually process each applicant.
:
: I am interested in investigating this issue, so that I can escalate it
: to our web development team.

Instead of me going through all that effort, attempt to sign up for an
account and provide the following email address:

jericho+toldyaso@attrition.org

If it rejects your address, you will see exactly what I am talking about.
If I receive mail, then my initial attempt was an intermitant error that
can't easily be explained.

And please, be honest! Don't change your back end code to allow the
dreaded '+' sign after hours of testing, then tell me I was wrong. I've
had enough sites tell me that before.

Jonathan


From: security curmudgeon (jericho@attrition.org)
To: ES.Service@nokia.com
Date: Mon, 11 Oct 2004 07:11:35 -0400 (EDT)
Subject: RE: Nokia Online Account Registration Rejected

So.. almost a month has passed with no reply. I take it to mean you
followed my advice, saw that your system does indeed reject valid email
addresses (I never received mail to the address I suggested), and you have
been busy working for the last 3 weeks on a fix to your non-standard
system?



main page ATTRITION feedback