[shantanubala]

I understand -- there's a bit of a problem when trying to prevent abuse, though, and relying on the Persona identity provider makes it easier to prevent abusive behavior upfront, especially since the conversions themselves consume a lot of resources.

I'm still working out the optimal solution, but thanks for the feedback!

[rogerbinns]

In what way does Persona prevent abuse? All you validate is email receipt which can be trivially fudged using mailinator.

It is far better to deal with this sort of thing at the "transaction" level - eg use a captcha or similar for the second and subsequent conversions from a particular IP address.

[shantanubala]

It's just a rough barrier before I set up something a little better, though I already have logging at the transaction level set up. Even using Mailinator requires a little bit of work, so I figured Persona was a good starting point -- I'll look into adding a "try it out" area on the home page that doesn't require you to sign up though.