What I have been doing is forcing the user to reactivate their account. I find that is more useful than resetting their password as the user has control of the process. It also means that if the spammer has compromised the users email and has access to the reactivation email, then when they next pos...