Well, limiting your control for some time on matching spamming heuristics is also kind of rate limiting. I am not sure I see the link between number of email attachments and spam though.
> The point is, there was no transparency.
Agreed on this and I alluded to this in my comment.
Though to play devil's advocate again, some security practices are intended to be not transparent. Like 404 instead of 401/403 on admin pages for non admin users. Not specifying what out of username,password,totp combo didn't match.
