[throwaway2037]

Nice list. You came well prepared.

    > Email shenanigans — for example, some mail clients click verification links automatically to check them for spam and then even interact with the page

What is the technical workaround for this issue? Do you check user agent?

[n2d4]

Check for cookies. If they exist, we can continue like normal. If not, require user interaction (none of the spam filters we tested click buttons, but from what I could gather, one of them — Outlook — moves the mouse).

[throwaway2037]

That is a good idea: Require interactivity. Even something very simple like: "Click this button to continue." Any human will click it immediately. A spam checker: Stumped.

[1oooqooq]

identifying those clients and emails using it would make for some easy account take over using password resets.

what people smoke to do those features?