How to prevent logged-in users sending spam via private messaging?

Question

We have a site, logged-in users can send private messages to other users on site.

When a user sends a new private message to the other user on site, the receiver is notified by email ("Hey, you received a new private message on site").

Now, suppose I'm a malicious user, I start spamming tons of private messages. That will result in tons of notifications emails. What is the best practice to block this?

Answer 1

Not necessarily "best practice", but options include:

• Requiring a hashcash before allowing a registration or a message (this wards off most bots)
• Detecting and blocking IP addresses that opens multiple user accounts in too short a period of time
• Passing the remaining messages through conventional or online spam filters
• Throttling the number of messages that can be sent, e.g. X per hour
• Allowing end-users to flag a message as spam upon receiving it
• Preemptively locking an account that has been flagged a spammy more than a few times — hiding all of the messages it sent in the process

Another one to keep in mind and deal with is abuse, e.g. genuine users who repeatedly send offensive private messages. For this, consider a bozo system: a user marked as a bozo can interact with the site normally, but only bozos can read another bozo's posts — they're visible amongst themselves and invisible to everyone else.