Hacker News new | comments | show | ask | jobs | submit login

You might also consider adding a web bug image to your confirmation email. If the user loads the confirmation email's HTML, you know it is a real email address even if they don't click the confirmation link.

Admittedly, it might be someone ELSE'S email address, but they could manually unsubscribe from your mailing list later.

Using image links 'calling back home' isn't reliable, because email clients have options to prevent such images from being shown automatically, especially if those emails might be considered spam.

Considering Outlook and Gmail block them by default, it's extremely unreliable

In this case though, it shouldn't hard confirmations, a possibly increase them a little. Unless people choose not to confim because they get a "images have been blocked" message.

It will also give better data - you can see of the people who opened the email and displayed images, what percent actually clicked the link.

Admittedly, it might be someone ELSE'S email address, but they could manually unsubscribe from your mailing list later.

That's half the point of verifying e-mail addresses. Doing this is likely to engender significant ill-will in anyone who is an unintended recipient of your e-mails.

I have a different view. I hate having to confirm my email address when I signup for a mailing list. It's more annoying to confirm my email address 50 times, versus the 1 time I have to unsubscribe from a list that someone signed me up for by accidentally entering my email address.

Ignoring for a moment the ethical question of if its OK to trade your convenience as a person benefiting from the transaction for an uninvolved person's:

1. Before the near-universal requirement for confirmed opt in, it was a reasonably common attack/prank to sign up someone else for tons of lists, causing them to receive unmanageable amounts of email per day. Alternatively, sign them up for lists they'd consider offensive, or that'd get them in trouble at work. Confirmed opt-in stopped this attack.

2. We've (computer geeks, security experts, etc.) spent years trying to teach users that no, they really shouldn't click on that link in an unexpected email, even if it promises cute kittens. That continues to be a problem. I don't know how an expert, much less random Joe, could tell a real "click here to unsubscribe" link from a fake one, if you have no idea who the sender is. Researching if its a legitimate unsubscribe link—and not a link that'll confirm to a spammer that you're reading his email, or pull up a page full of the latest browser or Flash exploits, makes it far more expensive for the random person to handle an opt-out than it is for the person who wants the subscription to handle a confirm.

Confirm emails are easy for a random person to handle: just ignore them. You won't receive any more emails if you take no action.

3. Not all email addresses are nearly-free to send to. Well, they're all nearly free for the sender, but not the recipient. Some email addresses cost 20¢ per message (e.g., SMS gateway). Some email addresses page people, waking them at night. These addresses aren't always very different from other people's addresses (I've personally had misdirected mail to both types). Someone can also do this as an attack. Sending a single message is bad enough, but is the minimal harm you can do; but imagine if anyone could subscribe your text message address or pager number to linux-kernel.

4. Realistically, while some mailing lists are very easy to get off of (e.g., development list for a random open source project), many commercial lists aren't. I've had people give my email address (assumably by mistake) to the College Board on their PSAT (hundreds of emails per month, many from different senders, no way at all to stop them); sign me up for an Xbox account (took me at least half an hour to figure out how to stop that—-apparently you're supposed to phone Microsoft; thankfully I finally found another way); sign me up for various things at EA (nothing on their web site, contacting support was absolutely useless); etc.

5. Your ISP probably has policies against sending unsolicited bulk and/or commercial email. If you aren't confirming your subscriptions, you can expect your ISP to receive complaints, and you are probably in violation of their TOS.

Is it reasonable to flag (and send a complaint to the ISP) anything without an obvious "unsubscribe" link as spam?

No. Spammers include unsubscribe links, too; they just don't obey them.

Even worse than not obey them, they've been known to treat them as confirmation that their spam is being read, and send more spam in response. Or sell the email address to other spammers as a confirmed-good address. It used to actually cost money to spam (but nowhere near as much as it cost the recipients).

Not sure how much this still happens, with spam being so much cheaper to send with botnets.

I am actually considering not sending a confirmation email. Every maillist message already includes an immediate unsubscribe list, and I thought perhaps to add a small note at the bottom of subscriber's first email, something like


  You are receiving this email because someone (presumably you) 
  subscribed $(email) to the $(maillist-name). Subscription 
  request was received from a network address of $(ip) on $(date).

  If you did not request this subscription, or would like to be
  removed from the maillist for another reason, visit this link
  to unsubscribe - $(link).
A bit of a mouthful, but essentially this simply piggy-backs the confirmation request on an actual mailing list message. Thoughts?

It's better to use double-opt-in:

1) Enter email on web page.

2) Open confirmation link in email inbox.

If you skip second step - there is a risk that email ends up in spam folder and is constantly delivered there. Another risk - user did not really request your subscription. That would often result in your emails being marked as spam.

Yeah, I guess the biggest issue is someone plugging in john@acmecorp.com just to test the subscription form, and then actual John getting a maillist message and tagging it as a spam. The question here is if the same John would or would not tag a plain confirmation message as spam too, and I suspect that he would, in which case what I wrote above is no worse than a double-opt-in in edge cases.

Except that you continue to waste the resources of both acmecorp and yourself by sending mail that no one ever sees.

Woah... why am I at -1? A knee-jerk reaction of some sort?

What happens when you need to communicate sensitive information with a customer?

For one, I don't know of any client that still loads remote images without confirmation, much less 1x1 tracking images.

Secondly, if I can sign someone else up without their knowledge and get you to send then unsolicited mail, you're risking legal problems.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact