14 comments

[ 2.7 ms ] story [ 43.0 ms ] thread
Comment in the post says it all.
Yes ("Disadvantage of this is that anyone who receives that mail will get registred without their consent if their mail client automatically shows images.").

If people do insist on using this method, they should at least add a prominent link to cancel the account in the e-mail.

But what if some random e-mail client prefetches the image and the e-mail end up never being read or whatever? This is not robust.

> But what if some random e-mail client prefetches the image and the e-mail end up never being read or whatever? This is not robust.

The whole point of not loading images is the privacy concern, so if your email client (which is any email client with any kind of traction in the past decade) offers (and defaults to) not loading images, it will indeed not hit the URL.

> The whole point of not loading images is the privacy concern, so if your email client (which is any email client with any kind of traction in the past decade) offers (and defaults to) not loading images, it will indeed not hit the URL.

I'm not sure this is accurate, this link is a little old but it indicates quite a few webmail/desktop clients load images by default: http://www.campaignmonitor.com/blog/post/2559/current-condit...

Several of the clients that is listed as displaying images by default doesn't do so any more. Yahoo, Hotmail, Apple Mail, Thunderbird, Outlook Express and Entourage are among these IIRC.

Perhaps "decade" was too generous a word to use. Certainly any client that has traction today defaults to not loading images. Now, that certainly doesn't mean that there are no clients that does this, and that no-one changed that setting.

Irrelevant.

That the possibility for an email client to be so configured that it would AUTOMATICALLY process a false positive validation, makes this system utterly unusable for any developer with a [brain|conscience].

No, I do think it is relevant.

If the purpose of the validation is simply validation, then what you call a false positive isn't actually false, as the e-mail address evidently was valid.

Including a very clear "I did not ask for this" link in the e-mail would allow false positives to undo any damage done.

Just because a technology can be used for bad (and this one is indeed - anyone auto-loading images in e-mail will be flooded with spam for that exact reason) it does not imply that any use of the technology is bad.

I use mutt. I'm not the only one. There are also people who read their email in emacs. There are people who turn off image loading in HTML-capable mail readers.

All of these are the kind of people you want using your service or software: clueful and security conscious. When they recommend something, people listen. As customers, they're less likely to ask a FAQ and more likely to point out an actionable bug or deficiency.

The only problem I have with 'click-to-confirm' email messages is that some services deliver them slowly. If you can fire off an email when I click Register, I can be reading it and cutting-and-pasting the URL or ID code five seconds later. A message that doesn't arrive for ten or fifteen minutes means I have to context-switch away and then back.

There is a very clearly featured "Alternatively click here" link.
I don't really see the point because you still have to switch to your email to open the message. I think a better solution is to let your users start using your service immediately, but require they click the email validation link within 24 hours. Or offer reduced (less abusable) functionality until they verify. Of course, this won't work for all services, especially if spammers can start abusing their account immediately.
Most services allow you to use your account immediately but only for non content creation actions in order to prevent abuse.
Spammers can provision an unlimited number of email addresses, so you won't stop a spammer by requiring him to validate an e-mail address.

I can think of three reasons you want to validate an e-mail address like this:

- Confirming that you've typed your e-mail address correctly and that it is reachable

- Preventing you from impersonating someone else

- Opt-in for sending you e-mails. Not really to prevent you from spamming/harassing/annoying someone else (there are many ways other ways to do this), but to prevent the service from having e-mails marked as spam.

I'm sure the last one is the strongest, as being blacklisted from one of the big e-mail providers would really hurt most online services.

A better way (for marketers) of validating an email address.

Technically nothing has been validated. You've proved that the email address exists. But it's deliberate use hasn't been validated. And that's the whole point of validation.

Clicking on "Show Images" is no faster than clicking on a verify link. ...and although you and I know that loading images requires an extra HTTP request, it's not intuitive.