[Semaphor]

We only include the username, not the (optional) real name. If I had thought about it before now, I’d have said that sounds suboptimal. But now, I guess it was smart ;)

[mzrnsh]

What's stopping the spammers from entering "http:// suspicious .link" as username and someone's real email as email?

[mkl]

Not OP, but usernames usually have restrictions to certain characters and lengths. It's pretty common to not allow : / and ., which would stop it. Space and @ usually aren't allowed either.

[hannob]

So "Go to superspammysite.com for horny pictures" is still an allowed username, right? Or of you skip spaces "superspammysite.com" may be enough that some spammer wants to abuse it.

I think you can't restrict usernames enough to not allow any spam. The only right way is to really just have the email and nothing else in the first confirmation mail.

[Semaphor]

Then you have "Hello superspammysite.com, welcome to our website." Not enough space for some kind of scam-text like in TFA. And considering that this has not happened in the last 27 years, it does not actually seem that worthwhile for spammers.

[mzrnsh]

Good point. That still equips your competitors with all they need to ruin your reputation though:

email: some@real.address

username: F*YOU

submit!

Now your sending "Hey F*YOU!" to real people.

[Semaphor]

Yeah, you can do that. But at that point you might as well sign up to a freemailer and just send those mails like that ;)

[AlecSchueler]

But then it's not coming from your company's email address.

[Semaphor]

Yeah, that does not seem like an important issue.

[Semaphor]

Yeah, that, and length restrictions.