their trying to flag your domain as a spam source...once your emails are received they flag them as spam...with enough of those your domain will be in the black list
One possible option I have seen is to reverse the flow. Give people a code and have them email you that code to a dedicated MX end-point using a dedicated inbound-only email domain that only processes codes, discards attachments, discarding anything else beyond a string+16 digit code and does not send bounces also block outbound connections from this thing. Invalidate and prune the code after an hour or less to keep the clutter out of Redis or your DB in the event of bot-flooding-signups. Format the code in a way that cell phone users can easily copy/paste into email or perhaps use javascript for that.
id try using a captcha, not perfect but they might give up...also worth trying control the ip where those requests come from: duplicates would be suspicious, triplicates or more worth human attention