OTP-only auth: when the email IS the identity
A one-time code stops password theft. It does not stop disposable inboxes from farming accounts — each one with a fresh set of cost caps.
If your only credential is a six-digit code sent to an email address, then the email address is the account. That is clean, until you remember how cheap email addresses are.
The disposable-inbox problem
A CAPTCHA stops bots at the door. It does nothing about a script driving a real browser through a throwaway-inbox service, collecting a fresh account and a fresh set of usage limits every time. The counter you so carefully built resets per identity, and identities are free.
Reject throwaways, but fail open
A before-user-created hook can reject known disposable domains. Write it so that a
bug in the hook can never lock a real user out of signing up.
A control that protects signup must never become the reason signup is down.
Fail open here, not closed. The worst case for a broken filter should be a few junk accounts, never a working reader who cannot get in.