> > The ideal world contains a mix of techniques.
> > 
> > You cannot just blindly leave it to the MTA to decide what's valid.
> > Along that path lies madness.  How do you pass the address to the MTA?
> > Don't do it as a system() call unless you want someone to own your
> > box with a semicolon.
> Only if you don't properly quote/escape the arguments you are passing.

That's a great theory that's been a disaster in practice, as "properly"
is difficult and mistakes often turn into exploits.

That's not to say that you're not right, obviously you are, but that is
kind of more of a sign of the scope of the problem than anything else.
In an ideal world, it wouldn't be an issue.  In reality, the set of
allowed characters for e-mail addresses should probably have been a bit
more controlled...

