once you hit the password change request send it to intruder and use null payloads of let say some number, if you still get the forgot password emails in your inbox. There should be rate limiting on that functionality . Replaying of this forgot password request should not be allowed