Throttling Email Requests
I have some questions regarding user experience when it comes to throttling email requests from public pages in my app such as Signup Email Verification and Password Recovery.
First of all, I want to throttle requests because I do not want to spam email recipients with my app's transactional emails. I am concerned about User A trying to signup an account using User B's email address for the sake of annoying User B at my app's expense (like getting flagged as spam)
I haven't read a fool proof approach to protect apps from these types of attacks (if you know of one, I would really appreciate it if you can tell me).
Currently I have implemented a captcha, but I would also like to implement throttling. So my questions would be:
How many times would I let a user send a request before I throttle sending emails for the same request? I did a single quick test with facebook, and I learned they throttle password recovery emails after the 3rd try.
How long should I throttle the request? 10 minutes? 30 minutes?
Should I A) let the user know I throttled the request, like placing a notice? or B) Act like I didn't do anything? Facebook did (B). I think it is more of a security thing? But, my problem is that, if I choose (B), a legitimate user not receiving any emails would keep on requesting for the whole throttling period. Which would be very bad UX?