Requiring confirmation from the old email is not a good idea for the reason already mentioned.
Asking for password reentry to change the mail address would be good. If you have left your browser open where other people could have access to it, then it gives an extra measure of protection. Requiring a signed blockchain message for an email change could be a good way to stop this type of hijack.
Requiring email confirmation on signup is also good to help reduce spammers. It doesn't help in this case, but I believe it would be beneficial for the forum.
{reply crafted before the previous post was submitted}
Email confirmations don't help to reduce spammers (or just a little) since bots are usually coded to verify emails as well. But an email confirmation to authorize to change the email is more convenient. (And not after like it's currently) I know people say "what if they lost their email box access" Well you can't hold hands with everyone like you do with children.