[caf]

Verification emails serve the purpose of ensuring that people don't sign up other people's email addresses.

[imglorp]

And if they do, why is that bad?

[vidarh]

Because it makes signing people up to all kinds of things they don't want to be signed up to trivial.

If you are actually going to use the address given, it makes sense to verify it to prevent abuse.

Not least because you risk having your ability to deliver e-mail severely jeopardised by abuse if you don't.

[gus_massa]

People can create fake accounts with other person email. For example, a last year case of a fake account for Linus Torvalds in change.org

https://plus.google.com/+LinusTorvalds/posts/DPY7H4a9Ma5

> Somebody signed a Change.Org petition in my name, and using a really old email address of mine.

> So since I apparently had an "account", I reset the password, and made a petition of my own.

> Change.Org - please change your dickish ways. Ok?

[pdkl95]

Because of the script that destroys email addresses by signing them up for 5000 mailing lists.

[no1youknowz]

What script is that? Never heard of such a thing.

[pdkl95]

There were several going around in the "warez" scene in the mid-90s.

It didn't require a script, either. When mailing lists and other automatic email sources let you add destination addresses without closing the confirmation loop by sending a test email, you can denial-of-service email addresses with just an SMTP client.

The really nasty part about this attack is that it's not just bandwidth amplification. Normal amplification attacks go away when the attacker decides to stop sending packets. With mailing subscriptions, the badly-configured mailing lists keep sending the attack on their own.