For these TLDs (.eu and .be) we were using an OCR system to read the contact email addresses.
And nobody thought this was a bad idea? In a security sensitive context? Just another day at the office, plugging the widgets together, making the tubes?
From what I understand of this email, the registrars only offered the contact info in the form of an image. To me, this seems like one of those times where we can make the client’s experience a little bit easier with automation, even if we have to jump through hoops. The registrars probably only offered it through images so that people couldn’t just scrape whois for email addresses to spam. The person who first made the OCR workflow was probably thinking that this is a really cool project that ended up working out really well. In any case, this issue could have also come up if a human did the same thing. The human would look at the image, guess at what the letters really represented, and send an email to validate ownership of the domain. I think the crux of this issue is that there is no easy way for the CA to figure out who to actually contact to confirm a transaction on a domain.