Open
Description
This issue has been migrated from #14764.
Description:
When a new user registers through a client like Element with 3pid email and recaptcha turned on, the email verification gets sent immediately, before the user (or bot) has solved the captcha. This opens up the email infrastructure backing the synapse instance to abuse. Lots of smtp relays have monthly limits as well as monitoring of bounced emails and complaints. If you run your own mail system then you can get your ip blocked or a nasty email from your ISP. There is no reason to send the verification email before verifying that the user is a human and presenting both of these tasks to the user at the same time is a sloppy user experience too.