A client of mine entered the wrong email while registering on our website. He requested email verification five times straight. Because his email didn't exist, the email failed to deliver. Because of that, our hosting provider issued a temporary ban as emails were going from our account to non-existing emails. I researched and found out that WHMCS does not limit the number of time verification emails or any other email sent in a given timeframe. Because of that, a spammer can register on a WHMCS website and request verification emails multiple times, and he can block the server IP from sending any type of email. The whole hosting account can get banned from sending emails due to the absence of this critical functionality.
How can you verify this?
Register as a client on your website where you use WHMCS and enter the wrong email. The verification link won't arrive. You can keep on resending the verification link unlimited times, and it will keep sending them emails, which will eventually keep bouncing back to you and then block ALL the emails from your hosting.
Which Functionality is to be implemented?
There should be a limit on how many times a particular user can request verification emails or any other type of activity where an email is sent in a given time frame. For example - The client can request email verification or password reset only 3 times in 1 hour or something similar.