MT-Blacklist -> Hijacked comments.cgi - anyone using Moveable Type should disable the comment script. The email verification that checks whether the sender address input doesn't contain junk is broken - which allows you to sneak in additional recipient addresses by separating them from the actual sender address with a line feed. And with that you can happily use MT to spam other people.
A real beginner mistake - the email validation is done with a regex that doesn't match the end of the string and uses dotall - so it only goes up to a possible line feed and ignores everything after it. Really stupid.
