Rate Limit on Password Reset

[hiasl]

Currently it is possible to abuse the password reset function next to the CP login to spam a user with password reset mails.

Please add a rate limit in the same way as with the login.

[angrybrad]

Good idea.

In the meantime, a workaround would be to listen to something like the Mailer::EVENT_BEFORE_SEND event from a custom module/plugin, check if it's a password reset email, then apply custom rate-limiting logic.