It seems like the attack is just taking user names and other publicly-known data trying to determine an email address from them. Spammers don't need microid to confirm that their guess is correct; they'll just send to all 50 or 100 top email domains, hoping to get a hit.
The whole point of MicroID is that if someone knows your email address, they can tell that you are the author of the page. If your email address is easy to guess, then your email address will be revealed, _whether_or_not_ there's a microid here, there, or anywhere.
If an email address is easy to guess, then the email address is easy to guess. Not clear what new ground we're covering here.
"Given the choice between accomplishing something and just lying around, I'd rather lie around. No contest." -- Eric Clapton