# Spam and Abuse Protection Mechanisms Numpay uses several layers of defense to prevent spam, unauthorized requests, and abuse. These controls protect system resources and ensure smooth operation without blocking legitimate users. ### Rate Limiting Each identifier (phone number) is limited in how often it can request verification or submit transactions. For example, a maximum of 5 verification attempts per hour prevents brute-force attacks. The system also limits requests per IP address to block flooding from bots or compromised networks. ### CAPTCHA and Bot Prevention To distinguish humans from bots, CAPTCHA challenges are introduced during key steps like initial verification and repeated OTP requests. The system uses adaptive CAPTCHA triggers, applying challenges only when suspicious patterns or high request volumes appear. This approach balances user convenience with security. ### Nonce Enforcement and Replay Protection Every user transaction includes a nonce that must increase sequentially. Transactions with repeated or out-of-order nonces are rejected by smart contracts. This prevents attackers from replaying or spamming identical transactions. ### Blacklisting and Reputation Numpay tracks identifiers and IP addresses for abusive behavior. Entities flagged for abuse are temporarily or permanently blocked. The system also maintains reputation scores for relayers and verifiers, adjusting permissions based on behavior. ### Optional Proof-of-Work For suspicious or high-frequency requests, Numpay can require lightweight proof-of-work challenges. This adds a small computational cost to deter large-scale automated spam without burdening normal users. ### Comparison of Protection Approaches | Protection Layer | Purpose | Numpay Implementation | | ----------------- | ------------------------------ | --------------------------------- | | Rate Limits | Limit excessive requests | Per-identifier and per-IP caps | | Bot Mitigation | Prevent automated abuse | Adaptive CAPTCHA challenges | | Replay Protection | Block duplicate/replayed txns | Nonce checks enforced on-chain | | Blacklisting | Isolate bad actors | Dynamic blocking of IDs and IPs | | Abuse Deterrence | Discourage large-scale attacks | Optional proof-of-work challenges | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://numpay.gitbook.io/numpay/data-privacy-and-security/spam-and-abuse-protection-mechanisms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.