Comment 4 for bug 551906

I still don't think we're rate-limiting in the right way. What about
three attempts per hour? That should be enough for a user to come up
with a valid email address, and is no more of a spam threat....

Or, better yet, what if clicking on a received validation link reset the
timer, even if the registration attempt failed (in this case, because it
corresponded to an existing email address)? In the spamming scenario,
the user is still rate-locked, but in the honest-mistake scenario, the
user is able to send herself another email-registration
validation-request (presumably at a new email address).

(Of course if psiphon threw an error when users attempt to register
pre-existing email addressses, this would not be an issue. Presumably,
we avoid this because it would allow an adversary to enumerate email
addresses?)