Virus scanners automatically confirming emails.

confirm-email-proxy.md

Confirmation emails vs. corporate proxies

Imagine you're building a website, and you want your users to confirm their email addresses. So you send them a link:

http://example.com/confirm-email/abc-123

They click the link, and if the token is valid: success! The email address is verified.

But what if your user is a banker, and his email is scanned for viruses? And what if the automatic scanner follows links?

That's right: your user will never get to click the link, because a machine clicked it for them. And the account will automatically get confirmed.

Not only is this annoying and confusing behaviour, but it can also be abused. Imagine an attacker knows that boss@bank.com exists. They can register an account with that address, and within minutes it'll get confirmed, without them really having access to the email account.

---

How do you solve the problem?

More importantly, how do you solve it without adding a new step to the process, like "paste the PIN we sent you" or "click here to verify your account"?

One note: automatically doing a POST /confirm-email/abc-123 won't fix the problem for proxies that execute Javascript.

Question: Can you tell if http://example.com/confirm-email/abc-123 was opened in a browser?
Will it be too much trouble for boss@bank.com to click "I'm not a robot" on the confirmation page?

Can you tell if http://example.com/confirm-email/abc-123 was opened in a browser?

I guess you can use the user agent. However, it's hard to distinguish between a real user in a browser, and a proxy that executes JS. I'm assuming virus scanners don't want to be recognized.

Will it be too much trouble for boss@bank.com to click "I'm not a robot" on the confirmation page?

We want to avoid it. Having a "click here to confirm" button is enough, no need for a captcha. But we want to avoid having that extra step, if possible.