What about spoofed emails? Come to think of it, how does posterous handle that? One way would be to mail the user back asking them to reply to confirm and then recording the details of the genuine mail server. Does posterous do that?
On the whole there is a lot to get wrong in this authentication method. I would prefer if this doesn't spread to other web apps.
>> Email can easily be spoofed, but Posterous has come up with some ways to figure out if the email we receive comes from you. If we think it might not be you, we ask you to confirm the email before we post it.
No matter what, you always get an email notification of every post we put online for your blog, with an easy link to remove the post if you didn't do it.
On the whole there is a lot to get wrong in this authentication method. I would prefer if this doesn't spread to other web apps.