I was very confused by the behavior of the password reset page at
https://www.mediawiki.org/wiki/Special:PasswordReset
when I entered a blank Username and the my email address (or any text with an "@"). The response is:
Reset password
A password reset email has been sent.
but I get nothing, and of course it can't be true when the email address has a nonexistant domain name like xyzzy@abc
The problem is that the site doesn't just say that no username at all has been specified. Instead it says it sends email, which it doesn't actually send. That leads the user to look for email, to get with the impression that the email address is indeed on file at the site, to get more confused at what is really going on, and generally to waste time.
I agree that the site should not give a response which lets someone learn, e.g., which username is associated with an email address, but that isn't the question here. If the username and password don't match, it says that. In this case the site has never even heard of the email address in question, and it does the same thing for valid and invalid email addresses.
That is like Nemo wrote: The site lies to protect other users. No one has to know if a specific E-Mail address is used for mediawiki.org (or some other site using MediaWiki). Normally the user knows, what E-mail address or Username he used for mediawiki.org, so it's normally not confusing. That's a point to protect the users of this and other sites using MediaWiki.
That is besides the point. I'm just saying that when the user does not enter a username, then the site should say "no username entered", rather than saying it sent an email.
Sorry, but if you don't type in anything (no username and no e-mailaddress) then the site doesn't say, that an E-Mail is sent. But if you type in one (username or e-mail) then you pass the requirements (see first sentence on Special:PasswordReset: Fill in one of the fields to receive a temporary password via email). So all ok!
Aha - I missed that it says either is ok. Thanks for clearing up my confusion! So the response can still be confusing, but I guess that even knowing whether the email sending script immediately responds with e.g. Domain Not Found" would leak some information about the view of the web from the wikipedia server.