[tendencydriven]

I don't think you're quite answering the question they've asked.

They want to know if you're doing any domain validation for requests sent to your URL, otherwise someone could quite easily eat up their quota by sending POST requests to the URL in the form.

[consumer451]

I just want to make sure I'm not missing something:

Would there be a reason to do this other than to eat a competitor's quota or just cause someone trouble?

The malicious actor would not benefit in any other way, correct? They would not actually get the submitted data…

[bdcravens]

Maybe not from a single spammer, but there are so many spam bots that any form like this you put on the web will be hit by a flood of bots

[consumer451]

Agreed.

It’s taken me a couple days to put it into words, but the important thing for me was a product lesson.

The lesson was that it’s possible to lower friction to this point, build or buy an anti/bot/spam system and still have margin.

[tendencydriven]

Yeah there would be absolutely no benefit to doing this other than just to be a nuisance.

[stanmancan]

Nope, there would be zero benefit other than to try to cause a bit of trouble.

[stanmancan]

There's no domain validation as we don't limit what domain or page your form can be used on.

If there was a malicious user abusing the service and they manage to bypass our spam protection then I'll definitely make sure they're taken are of as spam doesn't count towards your quota.

[quickthrower2]

No way to stop that, bar a annoying captcha detector maybe.

Because you can control the whole http request using say curl and use proxies.

Conversely I wouldn’t be surprised if some privacy extensions hide the referrer.

You could do some basic bot detection though. Even a css hidden non-hidden field might catch the bots.