PHP Email Activation - How to Avoid Abusers?

How do you avoid abusers for account systems requiring email activation? Abusers can basically hijack your account activation system to spam someone's (or multiple someone's) email's.

The most obvious solution is probably to set 开发者_运维技巧a limit of X reminders max per hour or per day. But: This doesn't give the non-abusing user the benefit of the doubt - what if their mail server is just having a bad day, for example? Are there better solutions other than just setting a brute-force limit?

Setting a limit of X reminders per Y hours/days is definitely something that should be done :

• You could allow 2 or 3 mails in the first hour -- if one mail gets lost, it can be useful to allow more than one
• Then only 5 mails in the newt whole day ; or even week.

If 3 mails don't make it to the user, chances are pretty low that a 4th one will...
(And 2 or 3 mails is already pretty generous -- I would say 1 mail per day is enough, in almost any possible situation)

Abusers can basically hijack your account activation system to spam someone's (or multiple someone's) email's.

Presumably, they can't actually put their own content in such emails though? Because it's just an automated activation email? This should mean that apart from just 'general nuisance', there isn't really any incentive for people to abuse it as there would be if they could spam, right?

Flood control - that is, limiting the number of sign-up attempts per IP address per hour - is probably a good way to limit the troublemakers. After that, identify any serial offenders and block their IP address.

Are there better solutions other than just setting a brute-force limit?

As well as just having a limit, you can have a more generous number of 'grace' attempts such that the limit doesn't apply until after this number of grace attempts.

For example, 5 per day per IP address can be the limit, but only apply this limit after someone does more than 20 in a day. Adjust the numbers based on what you think is/isn't "abnormal" usage.