Great question. You're correct that the mana system alone isn't a sufficient mitigation against that kind of spam. During the early design phase of Koinos we thought a lot (A LOT) about "mining contracts" on EOS like EIDOS, which is effectively the same attack. Since Koinos is more similar to EOS than Steem (despite being a totally new and different architecture), that might be the better comparison.
Let's start by really defining spam. A user can absolutely perform tons of transactions, even maxing out their mana/resource credits, and all those transactions can be valuable to the user (not spam). Spam is those transactions that a user is performing simply because they have surplus resource rights that they would not otherwise use. In other words, they are choosing to mobilize their resource rights because there is no cost to doing so. Since there is no cost, then any upside, no matter how tiny or how unlikely, is worth it. The issue is one of opportunity costs. There are opportunity costs associated with holding a given asset, so if holding that asset gives you any capabilities, you're going to max out those capabilities in an attempt to offset those opportunity costs. The solution then is to give the user another option to which they can allocate their capital that will provide them a yield equal to or better than those opportunity costs. With that option on the table, the user will be incentivized to acquire only as much resource rights as they need to perform valuable transactions.