WE're thinking about adding a feature to one of our products that would let a user send up infomration using driect messages. This information would be stored for alter retrieval by the user.
The problem we're seeing is that either we have to work out a way to do this in blocks of 20, since that's the limit, or use the DM email notification. The email route might be easiest to implement, and possibly the most scalable (weirdly), but I'm concerned about a possible vulnerability. There's no way to really determine if the email was sent from twitter, it could easily have come from anyone who knew the senders name and id, something that isn't impossible to find out. All the other header information could also be faked. I think this is correct, but maybe I'm wrong on this. So my question is, is there anyway to authenticate that the email is actually coming from twitter and not someone else?