I just got a complaint about the latest comment on Another One Bites the Dust. Apparently the previous commenter (who checked the “Subscribe to comments” box) either entered someone else’s email address or forgot visiting the site. It’s a email@example.com address, so it could easily have been a typo.
Either way, the new comment notice went out, and the recipient sent me a spam complaint. I apologized and removed him from the update list, but it moves “accidental spam” from a theoretical risk to an observed problem. I’ve disabled the subscription plugin until I have a chance to figure this out.
The good news is that Subscribe to Comments 2.0 is out now, so I should be able to upgrade when I get a chance. The bad news is that it doesn’t seem to have added a confirmation step, meaning it’s still (effectively) opt-out. Sure, you have to opt-in to get it in the first place…but the fact is that anyone can opt you in just by giving your email address instead of their own.
Note that there is a “block all notifications” feature in Subscribe to Comments 2.0 for cases where pranksters are subscribing people to comment threads maliciously. The problem I see with an opt-in system (send an e-mail, click this link to verify) is that it can potentially generate as much unwanted mail as a subscription would itself. You can’t send out one verification e-mail and then say “well, if he didn’t get that particular e-mail and opt-in, I won’t give him another opportunity.” No, you’ll have to give him another chance. Similarly, if someone knows your e-mail address, they can use WordPress to spam your “Forgot your password?” form.
One other thing to consider is that if someone has your e-mail address and wants to annoy you, there are much better ways to do so than by subscribing you to comments on a blog somewhere. I’m a cynic, and that means that I consider the worst of human behavior, but I’ve not yet seen someone do this (yet!).