Op basically said that the firewall rules and email confirmation alone would've mostly mitigated this.

But also Anubis is a good alternative to slow bots.

How about a signup flow where the user sends the first email? They send an email to [email protected] (or to a generated unique address), and receive a one-time sign-in link in the reply. The service would have to be careful not to process spoofed emails though.

Another approach is to not ask for an email address at all, like here on HN.