User access rules are run against new password requests

I had a user access rule set up such that usernames would be denied that contained the "@" symbol (because I didn't want people creating usernames that were email addresses). I also have LoginToboggan v1.3 installed. I recently upgraded to drupal v5.12. Now, any user who requests a new password by entering their email address into the "Username or e-mail address" field gets an error message stating: " is not allowed to request a new password". It appears that the user access rules are being run against this field. I am not sure if this is a drupal bug or a LoginToboggan bug. I removed the "@"-related user access rule and now people are able to request new passwords again.