Scenario:
The link for resetting a password allows users to send unlimited mails. If hackers use this to automate the repeated actions using scripts, this might lead to E-mail bombs hack may create Denial of service (DoS) conditions against e-mail software and even network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space.

Steps to reproduce the scenario:

• Try to login to Jira using <JIRA-Base_URL> and click on can't access your account?
• Select a user account and then send an email to the user and try the same operation multiple times.
• We are able to send number of emails using this scenario.
• We agree that such cases might create mail flooding, E-mail bombs hack may create Denial of service (DoS) conditions.

Suggestions:

• Allow the administrators to set limit on number of emails sent per user using "can't access your account" page.
• Allow the administrators to enable a captcha if the number of emails sent for reset password crosses certain threshold (configurable).