You don't have a choice about confirmation -- when
you set the e-mail
address it'll send a confirmation email automatically. Thus they're
alerted, and the jig, as they say, is up. :)
Then what?
It alerts of the action, but you can't stop it. The confirmation message
says:
Someone, probably you from IP address X.Y.Z, has registered an
account "YourName" with this e-mail address on Wikipedia.
To confirm that this account really does belong to you and activate
e-mail features on Wikipedia, open this link in your browser:
http://test.wikipedia.org/wiki/Special:Confirmemail/baddeefbaddeefbaddeefba…
If this is *not* you, don't follow the link. This confirmation code
will expire at XXX
So, there's no option to "refuse" the email connection. The receiver may
think, "oh, somebody registered an account with my name at the wikipedia
in strange language" but not matter more about it (note he's relating
the warning to the username, not with their email).
If he checks the contributions will see a user with good editions. If
username clashes are as common as Anthony says, he won't think it again
(until he loses his account).
He would need to be a paranoic, knowing this vulnerability running to
warn a steward or takeover it. And still he'll need to sleep.
I'd create the takover account and not set its password to the matching
one before minutes of Merging them.
Exactly right. A non-confirmed email address shouldn't be used for
anything, at all, since without confirmation, it's just a random
string. If you really want to use unconfirmed email addresses, then
give control of accounts with unconfirmed addresses to accounts with
confirmed addresses, but definitely not the other way around, that is
a major loophole.