Harry,
Thanks for this. I've been talknig this over with the Auth gurus over the course of the past week. There is a lot to unpack here, so I'm just going to give you a few highlights.
There are instructions in the email that it can be ignored if the recipient didn't request an account.
As a workaround, the user can verify the account, which would stop any email from being sent. Obviously less than ideal since the recipient of the emails may not trust your app enough to find this a happy answer.
A couple solutions we will look at for feasibility are 1) a link to report spam in the email, or 2) throttling the number of requests similar to GitKit.
Thanks so much for the feedback. It led to some great internal discussion and ultimately I filed a feature request on your behalf. Great stuff. I don't have any idea when this might get implemented, but it's now on the radar.
☼, Kato