I want to build user registration into a website. Could some one advise if it's necessary to setup an email confirmation system? I feel this could greatly annoy the user.
I find this very annoying, If you have to do it you should also consider giving users an option to authenticate themselves again social sites like twitter or facebook.
There are a handful of reasons why it’s important to verify an email address:
Security: being able to send your users reset instructions, or any important updates about the site, etc.
Spam Prevention: By forcing a user to confirm
their email before performing any substantial actions on the website, will help combat spam and your website from being filled with fake users.
Avoiding Shutdowns from Email Delivery Systems: Systems like Amazon Simple Email Service will flag your website as not trustworthy after a certain amount of emails are sent through their system that end in bounces. Personally have had this happen because I wasn’t monitoring them in my own system architecture.
Payments: if your website requires payments of any sort, you’ll want a method to contact the user.
Newsletters: if you want to let your users know of some action related to your company or website, you’ll want to accurately know how many people you’re emailing… or even be able to email them and not just a trashcan full of fake emails.
Related
We have a password reset web application. The application sends out an confirmation code to an alternative e-mail. My manager believes it is not a good idea to include a link to the page were you have to enter the code.
I see his argument. However, the helpdesk has been overwhelmed with users who are confused about the process. I'm assuming this is because many our users browse using only one tab/window and navigate out of our web application to check their e-mail for the confirmation code.
My question: How should we approach this issue? I would like to alleviate helpdesk and, in turn, make the process pain free for our users. Any suggestions?
Clarification
He believes that we are doing the user a disservice by training them to click links from a sender that cannot be verified (in this case, it's an automatic message with a "no-reply" address). This, would in turn, make users more susceptible to phishing attempts which we've had a lot of issues with in our organization.
I think sending links is the standard way of doing it. If a customer is really worried about the integrity of this email account, he better gets that sorted out first.
Essentially you don't gain extra security by not sending the link, but you gain a lot of comfort. Just do it like everyone else - put it in there (time limited).
The only thing on the top of mind would be the option to have a unique identifier in the e-mail's subject an have the customers reply to that mail.
Then an automated script checks 'password-forgotten#mycompany.de' for emails with the subject 'Re: Forgot your password? [UNIQUEID]'. The script would then mail them their new password.
Since most users won't modify the subject when hitting "Reply To" and won't do a "Compose new mail" and enter the recipient address manually, chances are big, incoming mails to "password-forgotten" will have that UNIQUEID in the subject.
Plus helpdesk would only have help those that actually modify the email's "Subject". ;-)
There are security considerations, though. Maybe your manager might argue, that anyone might send a forged "Forgor your password" mail and set the "Reply-To" header to the attacker's address. The processing script has to intercept these attempts of forgery...
I see no reason why the link shouldn't be included, especially if the code is something like a hash because the chances of somebody cracking that are slim to none.
You could however, add an extra protection to the page where the code is being inserted and limit the number of tries to something like 3. For even more protection, send the email address to that page as well, and allow 3 tries per email address instead of 3 tries / IP, which can be easily bypassed.
Hey guys - I know this is not a strictly programming question but I'm building an application where users sign up to traffic alerts.
I have the whole thing dusted but I haven't got an 'unregister button'
I know its good UI to have one, but I was hoping if someone knew the legalities of the topic?
The user can sign in and uncheck what alerts to receive, but not scrub their details -
On the email sent I have an unsubscribe button.
Seeing as this is going to the public, can I turn round to my boss and say "by law we need one" else he might just turn around and try and charge the client, and I don't agree with that for something so rudimentary
Check out CAN-SPAM. One of the requirements for mass email marketing is a one-click unsubscribe button.
See http://en.wikipedia.org/wiki/E-mail_marketing
Specifically:
To comply with the Act's regulation of commercial e-mail, services typically require users to authenticate their return address and include a valid physical address, provide a one-click unsubscribe feature, and prohibit importing lists of purchased addresses that may not have given valid permission.
I know this question is crazy - but my employers client is demanding that email verification be removed from the sign up process (they feel it is impeding sign up).
I wanted to garner feedback from the programming community at large as to their experience and opinions regarding sign up and email verification - and the possible consequences of removing this safeguard.
I'm on their side -- 95% of the time websites don't actually need an e-mail address, they just collect it because all the other web registrations they've seen collect one. If you're worried about spam, use a captcha; e-mails are a horrible way to stop automated registrations. With sites like Mailinator to give people instant throwaway e-mails and BugMeNot to save people the hassle of dealing with registrations like yours, you should avoid making your registration any harder than it needs to be. Stack Overflow is a great example -- you don't even need to register to ask/answer questions
My guess is that robots will not bother going through a registration process. Your average simple-minded robot simply spams into a form that requires no other action (authentication, identification) at all. The mere act of asking for one or more extra clicks will prevent most simple-minded "attacks." If you look at the blog site for Coding Horror, they use a captcha with a constant capture word.
On the other hand, while a few extra clicks will deter dumb robots, they will not deter human spammers, jokers, griefers, etc. But then again, throwaway email addresses are pretty easy to come by, so if someone truly wants to fill your site with junk they can.
My conclusion is this: I guess you will get about 10% to 20% more "junk" on your pages, and between 5% and 25% more "desired" accesses, depending on how badly it was bothering your potential customers. Thus, I don't see any big harm in removing the email barrier.
Email is important to identify the user, for instance, when they forget their password. If email verification is setup in such a way that users are not able to log on until they verify their email address then I also think that it is impeding. The application should allow the user to log on and use the application and set it up so that the user needs to verify their email address in a fixed number of days, for example, a week. If they do not their account is suspended.
On the other hand if we have to remove the email verification then I think we would need to add a feature similar to the major email services that allow the user to reset their forgotten passwords in the absence of a valid email address.
e.g. Google Webmaster Console does it by asking website owners to upload a file with specific name. Other services use the same approach.
Is there any reason why not verify ownership by simply asking people to confirm by clicking the email that was sent to the email under that particular domain? (provided that website does not give out its users email addresses like gmail etc)
Because it is the most direct and 100% bulletproof way to find out if the guy has the control over the site in question.
Email address "under" the domain can belong to the admin while the site is actually managed by the developer.
Also, many use anonymous registration, in which case email will be sent to the registrar address (though it will usually forward to your real address or at least notify you).
I have a GMail account doesn't mean I own the gmail.com domain. Like 'Developer Art' said, uploading a file shows that you have access to web-hosting portion of the domain.
How would they know that you are the person at that domain responsible for the website unless you modify it in some way? I have a company e-mail address - that doesn't mean I'm responsible for the company website.
I can prove that I "own" Yahoo, Hotmail, Gmail, and many others with your proposed verification technique. What's so hard about uploading a file to a server for someone doing web work?
I think the intent is, "If you own the site, please place this verification file in your site's root directory." Once the verification system sees the file there, ownership is verified. At the very least, it confirms the ability to post to a site's root folder. Not having this expectation of your users might open you up to folks doing malicious activities as someone else's site because you didn't properly verify ownership. In legal circles, we call that, "due diligence."
E-mail... you know, I keep receiving messages from banks I don't have accounts with, the British Lottery and even more from a guy in Nigeria. They look real. Now that I think about it, maybe I should forward all of their e-mails to each other. The lottery guys and the Nigerian guy can put all their money into the fake bank accounts. Spam problem solved!
In my website (under development), the members can send messages to each other which are sent directly to their email, now I'm worried that some members can send spam to other members (I have a spam filter but it doesn't give 100% protection as you know), I'm worried that my domain might get blacklisted on Yahoo, Gmail, Hotmail or AOL which will cause any messages sent from my domain to end up in the spam folder, this is why I want to add the domain of my website to their whitelists (if they exist).
P.S. I don't want to use private messages that members check on the site and I have my reason for this.
Thanks
Your email might not be considered "bulk" because it sounds like it's one->one as opposed to one->many, but these bulk mail help resources might still be helpful:
Yahoo! Mail Postmaster Help
GMail Bulk Sender Guidelines
Windows Live Hotmail Postmaster Services
AOL Postmaster Website
As Bevan mentioned, your task will be an ongoing one to keep your site clean on various services.
Not sure if you're already considering this, but you can send the email "on behalf of" the requesting user (i.e., set the from and reply-to fields to the user who is sending the message).
While there may be whitelists used by those sites, I suspect that they only contribute to whatever scoring system is in use - being on the list won't be sufficient in itself.
The overall controlling factor will be the "reputation" of your site - you need to work to ensure that reputation stays sound.
Unfortunately for your workload, I think this will be an ongoing task, not a one-off.