Is a user account activation email without a secret kept in the DB reasonably secure?

Question

I want to create a newsletter app and users will naturally have to confirm that they signed up for the newsletter so we don't spam them if some bot entered addresses.

My idea was to simply send the user an email that contains a link that has a secret in the url, which is a hash of the email address and some secret sitekey.

My questions is the following: Can someone by registering a few accounts and thus receiving the hash of the secret with his address, guess the sitekey and thus register every email address she wants?

I don't see anything that could be gained from doing that, but if it is very easy, chances are someone will do it and I get blacklisted.

My reason for not storing a non activated user account are simply that I don't want to purge them from the DB every x days.

Answer 1

I think it would be best to generate a random secret and keep it in the db. That way there is nothing that can be guessed. (At least not nothing that grants permission to add any email).

Answer 2

If you ensure you use something like sha1 with a completely random salt/sitekey, then it would be futile to attempt to reverse engineer the sitekey with a dictionary attack.

If someone did want to synthesise their own hashes to register arbitrary addresses, a more effective use of their time would be to gain access to your server to read the source code :)