Having special characters is a good idea but having a comma just to break a CSV is dumb. This would only happen if the hacker used a bad exporter or created their own (very poorly).
> don't let the end user know that you were able to send an email.
I need to stress this is a very important point. If you happen to state the email they entered already exists in the system, the attacker now knows that is a valid account then use a known password linked to that email to gain access.
- route throttling to something high since if they are new users they shouldn't need to hit that form more than once
- don't let the end user know that you were able to send an email. Keep it vague like "if your email exists, you should receive an email soon."
- don't use a personal email server; something like sendgrid can give you a server that is in good/neutral standing
- if you have to handle your own emails, keep up with any bounce backs and always keep an eye your server being on any blacklists to get it cleared out as soon as possible
- honeypots can be useful if the spammer(s) isn't keeping a close eye on their scripts
If you don't want someone/something from seeing your content, don't put it on the internet but if that isn't enough:
- add a disallow in your robots.txt (many people say the bots ignore this anyways)
- somehow have your pages so far down in SEO rankings that bots would deem it incorrect/irreverent
- put your content behind a login; this too has it's issues since the bot handler can just get some login credentials to crawl anyways or a user can copy the content elsewhere
- you could also try gaming the system by making your content so offensive that the current AI censorship fad blocks it
- you could try not linking a domain name to the IP, making it harder to find
- sue any AI developer that you think crawled your content