Ain't technology grand? A user today signed up for an account at ASPMessageboard.com - this registration process prompts the user for their desired username and a working email address. Upon supplying this information, a “verification URL” is sent via email. Upon visitng the verification URL, the user can choose their password, login, and start posting messages.
As I described earlier, last month I built my own challenge/response spam-blocking software. A challenge/response spam-blocking system works by maintaining a database of trusted emails and black listed emails. Upon receiving a new email from the trusted list, the email is forwarded on to my inbox. If an email from a black listed individual is received, the email is promptly deleted. If an email arrives from someone who's not on either my trusted or black list, the user is sent a “challenge,” which they must respond to in order to be moved to my trusted list. (The challenge is an email instructing them to visit a page and type in a specified series of numbers.) The whole idea behind this is that a spammer won't take the time to register with my system, so spam will stay filtered out of my inbox. (My daily allotment of spam has been reduced from well over 100 pieces of spam per day to well under 5 pieces per day.)
Anywho, today a user, who was using a challenge/response spam blocking system of his own, signed up on the ASPMessageboard. Upon signing up, he received an email from ASPMessageboard asking him to visit the verification URL. Of course, this email was from an untrusted source, so his C/R spam blocking system shot me an email saying, “Please visit such-and-such link if you want me to see your email.” Well, my C/R blocking system got this piece of email, noticed this user wasn't in my trusted list, and so then decided to send him a challenge email. So now both of our C/R spam blocking systems are sitting there, twidling their thumbs, waiting for the other to verify.
This deadlock was broken by this fellow, I think he checked his pending email list, having expected an email from the ASPMessageboard.com site. He then, kindly, took a moment to register with my C/R system. The point is, however, as the popularity of C/R systems continues to grow, situations like this are inevitable. Direct person-to-person communications can be righted by remembering to always make sure those you send email to are on the trusted list, but can break down if a computer intermediary is sending an email on someone else's behalf. Namely, the ASPMessageboard ASP page sending an email after the user had completed the first step of registration.