How about show success, but adjust the confirmation e-mail accordingly. For example, if the e-mail address is not registered you could say something like "We received a request to recover your password on our service but see that you are not registered for our service with this e-mail address." ?
I considered this, but it makes an easy way for someone to cause the site problems. I guess coupled with captcha it could work, but someone could send a lot of emails to different people, if enough mark it as spam they might have problems as it is TECHNICALLY unsolicited, but I guess at the same time I could do the same with registering...
