I have tested messaging from two users on different servers with ask enabled. Apparently ask lets confirmation messages through. How does it know it is an ask confirmation message. Can't it be faked by a spammer to send directly to the recipient?
Yes, you're right. This was a design shortcut based on the fact that it is very unlikely that spammers with use such an unusual Subject in their messages. I'm working with Jason Mastaler (TMDA) and Gerrit Pape (Qconfirm) to have something added to confirmations in a way that allows the C/R systems to automatically respond to a confirmation, instead of blindly delivering or ignoring it.