Bounces from end-user portal login form

[tomatic]

I'm using the End-User Portal module and have been having some recent issues with bounces from apparent abuse of the "My Tickets" login form. Essentially, someone enters an email address on that login form and then Freescout sends out the authentication email to that address. On some of these addresses we get a bounce (mailbox full) or an out-of-office autoreply and of course these emails end up creating bogus tickets.

I realized I hadn't enabled the checkbox to only allow existing customers who have tickets to login to End-User Portal, so I enabled that, which should prevent this from happening in the future. But I'm still getting some bounce emails from one of the previous email addresses so I assume FreeScout is apparently still finding this email address somewhere in the system and is hence treating it as an existing user and still sending out the authentication emails for "My Tickets" login attempts.

I did a search for the email address in question, deleted all the bogus tickets I found and emptied the trash. Would that be enough to make Freescout block submitting the login form for this particular address?

PHP version: 7.4.3-4ubuntu2.24
FreeScout version: 1.8.154
Database: MySQL
Are you using CloudFlare: No
Are you using non-official modules: No

[freescout-help]

Probably enabling a captcha https://freescout.net/module/extra-security/ would be more reliable.

[tomatic]

Can't really use reCAPTCHA, as it would require user consent to be GDPR-compliant, which defeats the purpose.

My question really is: what does the end-user portal module check against when determining whether an email address entered on the "My Tickets" login form is an existing customer or not? Active tickets, closed tickets, deleted tickets, ...?

[freescout-help]

emails table in DB.

[tomatic]

Best way to delete a customer along with their record in the emails table is probably the GDPR module?