I'm writing a web app and looking for some advice about fighting automated spam, I haven't found any standard techniques for this (maybe there's no need?) and I'd love to hear your thoughts and experience.
My web app sends email in 2 cases:
- When you register a new account
- When you want to reset your passphrase
If some evil person sends automated HTTP requests to my web app, they could do things like these:
- If they know a user's email address, they can automatically repeatedly trigger password reset email, causing my app to send many email messages
- If they can get a list of email addresses of people around the world, they can automatically register all of them, causing my app to send tons of email messages
This not only creates tons of spam accounts and so on, it also makes my app send lots of email and potentially its mail server get blacklisted because of that.
So my question is, what's the standard (for free software web apps of course) to protect against these things?