If you know a user's email address, you can submit "Lost Password" requests over and over, filling their inbox with spammy "lost password" emails.
We should rate limit it, probably exponentially. If we sent N unacknowledged emails to this account today, you'd have to wait, say, 2^N minutes before sending another "Lost Password" email. For example:
The first Lost Password email of the day always works
To send a second Lost Password email (without clicking on any of the previous emails), you'd have to wait 1 minute to send another.
To send a third, you'd have to wait 2 minutes
To send a fourth, you'd have to wait 4 minutes
To send a fifth, you'd have to wait 8 minutes
To send a sixth, you'd have to wait 16 minutes
To send a seventh, you'd have to wait 32 minutes
To send an eighth, you'd have to wait 64 minutes (~1hr)
To send a ninth, you'd have to wait 128 minutes (~2hr)
To send a tenth, you'd have to wait 256 minutes (~4hr)
To send an eleventh, you'd have to wait 512 minutes (~8hr)
To send a twelfth, you'd have to wait 1024 minutes (~16hr)
It would not be permitted to send a 13th Lost Password email in a day, unless the user clicked on at least one of the previous emails.
If you know a user's email address, you can submit "Lost Password" requests over and over, filling their inbox with spammy "lost password" emails.
We should rate limit it, probably exponentially. If we sent N unacknowledged emails to this account today, you'd have to wait, say, 2^N minutes before sending another "Lost Password" email. For example:
See also #450.