[spicykraken]

A captcha might add enough friction to at least slow them down if they're doing this at scale.

Also adding some fraud detection on top might help (e.g. MaxMind) you can tell if the requests are coming from a proxy, hosting service, etc and block those requests or present them with additional challenges.

[gajus]

CAPTCHA is not a bad suggestion, but my hesitation is that if someone has gone through the hoops to setup residential proxies to do this, then CAPTCHA is just another nuisance to bypass (there are many services readily available to do that), and the people that will suffer the most will be the real users.

[spicykraken]

I hear ya. We hold similar sentiments and also don't use CAPTCHA, we find MaxMind (and a few custom heuristics) to do good enough of a job at filtering out bad actors. A few get in every great once in a while but we have secondary controls that limit the money they can cost us.

[fragmede]

Cloudflare's capcha is just a checkbox, no weird clicky puzzle. It'll still bounce some legitimate users but it's better than having all your emails go to spam.