Issue 378: Don't use links for email address validation
Status:  Accepted
Owner: ----
Project Member Reported by sop@google.com, Jan 6, 2010
Spammers have apparently reached the point where they are now
signing up for accounts on websites, receiving the validation
emails, scanning them through an automated POP/IMAP client, and
actually hit the links contained in the message.  (I've learned
of this through some MediaWikis which are now being spammed.)


Change our email address validation technique to be something
that requires more human intelligence.

For example, we should send an email like the following:

  Welcome to Gerrit Code Review at review.source.android.com

  To confirm your email address, please return to the website
  and enter the following code:

      https://review.source.android.com/#VE

      $SHORT_RANDOM_CODE

Where #VE displays a form to accept the $SHORT_RANDOM_CODE, but
wouldn't complete itself normally.


To really make $SHORT_RANDOM_CODE validate an email and yet be
really short, we need to store proposed email addresses into a
database table, keyed by $SHORT_RANDOM_CODE.
Jan 11, 2010
#1 sop@google.com
(No comment was entered for this change.)
Status: Accepted
Owner: ---
Aug 17, 2010
Project Member #2 mf...@codeaurora.org
I think that this would be easy for spammers to overcome too, a minor tweak.  Why not simply integrate a true captcha on the first identity registration?
Aug 19, 2010
#3 sop@google.com
Captchas are also currently defeated by spam engines.  :-)
Aug 20, 2010
Project Member #4 mf...@codeaurora.org
Agreed, but if you integrate a captcha system such as an external free software capthca project, you could at least push off the arms race to that subsystem or library instead of attempting to fight it in gerrit.  I am assuming that they have a better change of beating the spammers than us.
Nov 27, 2013
#5 rodney.d...@seagate.com
Captchas won't "stop" spammers, but they might slow them down.