Hi all
I have a forgotten password routine that returns "Email address invalid" if the email address entered is not in the database. This seems to be the general trend to notify someone that the email address doesn't exist. I'd just like to know if it's possible for a hacker to harvest email addresses this way.
For example, if the message doesn't return "Email address invalid" then it can be assumed the email address exists and a bot can just continuously try different email addresses randomly and save the tried email addresses that didn't return "Email address invalid".
Would it be worth putting a delay on the routine whereby if there have been 5 attempts that have resulted in "Email address invalid" then the routine is prevented from running for 15 minutes?