I think the easiest solution is to have one enter email address instead of user id for password retrieval. Then a spammer who knows only id of another user but not email address cannot spam him/her.