That's why you need to investigate, rather than simply blocking the user. If set up correctly it should be mostly automated...ask the customer where the email address came from, then take appropriate further steps. SES does none of this, which is why they have this problem.
I'm not sure this is valid. Some users will consider anything spam, including password reset emails they asked for.