[SEMI-GEEK] Are activation emails needed - and if so - how do we convince you they aren’t spam?
Here’s an odd but important problem, at least for us here at BlogBridge.
When you sign up for a BlogBridge account, we, like many other sites, send you a confirmation email to verify that your email is for real.
Truthfully from a security point of view, I am not even exactly sure what it proves. That at one moment in time the person creating the account also was able to receive emails at an arbitrary email address. So what? It’s so easy to get a temporary free email account, that I am not sure what it does.
So that’s question one: does an activation email really provide any benefit to anyone? Any comments?
Now a question that has come to our attention is that in many cases a person’s spam filter intercepts the activation email so the person never even sees it, and hence the account is never activated, and hence the account appears not to work.
So scenario: The sender and recipient both want the message be received, but there is a a big-brother spam filter (like Google Mail, which I think is the bestest) that insists on sidelining the email into the spam filter.
So that’s question two: Is there any way to assure a non-junk email actually makes it through? Any answers?
Popularity: 3% [?]
February 22nd, 2007 at 12:31 pm
Answer 1: One big benefit is that it prevents some malicious person from signing me up for a service and associated junk mail (unless they can read my mail)! It also allows you to avoid having your database cluttered and resources consumed by spam attacks on your sign-up form.
Answer 2: Well, that’s the spam filter problem in and of itself, now isn’t it? I’m guessing you’re looking for heuristics to prevent your activation emails from being filtered out as spam. What I’d do is run some of them through common spam filters (e.g. SpamAssassin) and see what rules they trigger, then modify the mail as appropriate to prevent triggering. If you don’t have a misconfigured domain or mail server you should be reasonably safe with most content.
Also, a bug report: Tab ordering on this form is wrong; for some reason the “prove you are a real person” box comes first in the tab order, so tabbing from it to start typing my comment wipes out my name instead. Bad tab ordering in web forms is a pet peeve of mine…
February 28th, 2007 at 4:57 pm
Hi Pito,
confirmation e-mails do a few more things.
* You do catch the people that are only marginally interested (and never go looking for the e-mail if it does not arrive.
* You also do annoy the people that want to use your service in a hurry
* For people with a permanent e-mail address you make a reasonable contract.
* If you wanted to you could check periodically if a certain e-mail address still accepts mail (you can do query an smtp server that way w/o ever sending an e-mail). Haven’t seen that implemented though
To answer your second question:
* Like newsletter e-mail you can test your message for spammyness
* In principle we could get rid of the spam problem by all signing our e-mails with PGP. That would allow a recipient to reliable filter based on verifiable signatures and even a web of trust (is that signature co-signed by a major SSL Certificate authority (costs money)? Is it signed by a friend that I trust highly (costs no money)?
** The disadvantage with this schema is
*** It is not implemented?
*** It is not even supported by spamassassin
*** It is computational expensive, because I have to read the whole e-mail, not only the headers
*** It does not foster the commercial interest of ISPs, because they don’t get to decide what is spam and what not (and get still to transport all that useless spam on their pipes and servers.
Just my five cents
K