I've just implemented a per-user limit on password reminder emails. By
default, 24 hours must elapse from one password reminder to the next. I
figure if you've just been sent one password reminder, you don't need
another one, assuming your mail was working. There is also a per-IP limit
which was already implemented, it just needs to be configured properly. The
per-user limit prevents mail-bombing of a given user with multiple password
reminders, and the per-IP limit makes it more difficult to send password
reminders to a large volume of users. Per-IP limits are prone to false
positives due to shared IPs, and can be evaded to some degree by technically
capable users, but the per-user limit is quite secure.
Both features will be enabled on Wikipedia soon, if there are no sensible
objections.
-- Tim Starling