Posted by Gordon Burditt on 12/20/05 16:08

> During registering in some website we are forced to give our valid
>email id. Also they send a mail and a url is given , when we click that
>our registration is confirmed. Why does they do so. And programatically
>what happens.

Depending on the web site, the email may be needed to set up a
password or for the operation of whatever service the site provides
(like notifying you when there is a severe storm in your area).
Or some web sites want to spam you.

Some spammers use (other people's) web sites like this as a weapon
to mailbomb people the spammers don't like, by signing them up for
mailing lists or flooding them with confirmation emails. Or they
sign up accounts and post spam to forums, submit orders for merchandise
with stolen credit card numbers, or otherwise make nuisances of
themselves.

Registration confirmation is often needed to prevent robots from
signing up millions of phony accounts a day. This has resulted
in things like "capcha", where you type in a number presented
in a distorted image to prove you are a human, reply to an email,
or whatever being used.

Technically, a confirmation email is sent out to the email address
given, with a link that provides a key to the user's signup record
in a database. Clicking on the link sets the user's status to
confirmed. If the link isn't clicked on within some time limit,
the record is deleted. And an unconfirmed status doesn't let the
user log in. The key should be something that does not make it
easy for a spammer to guess previous and future keys given one key,
so an incrementing number is a bad idea here.

Gordon L. Burditt

[Back to original message]