Warn the user at first if you determine this was on purpose. They may be compromised if the script is running in /tmp and running a vulnerable web application. They might be sharing / reselling the server on the other hand.
Nope was defiantly a deliberate act we could just turn down its cpu allocation but, the nature of it grates on my nerves its not intended for legit purposes and the email address's havent asked to be added to a database......
Unless the user can provide a valid reason for harvesting email addresses (with supporting evidence) then I wouldn't hesitate to terminate him/her for aiding and abetting the distribution of spam. He/she might scream but all of your present and future (legitimate) customers will support you.
I would definitely drop the user, but only after giving a warning, and advising them that harvesting, or adding emails to lists without the email owner being asked to be added is not a good practice. If continues just drop the user.
They are probably not in violation of any TOS simply by collecting info available on the Internet (Unless their bandwidth/CPU usage is considered excessive). The TOS violation would be if they try to use that info to spam.
He took the node from a load average of 2 to load average of 130..... i think that would be considered abusive. So while we couldn't drop him for his email harvesting (working on a updated TOS to correct that as pointed out we cant just drop as and when) he was abusing the systems resources