I have found in MyBB 1.2 bug which allow any registered and activated user send email to unactivated accounts. This can lead to sending spam from vulnerable MyBB site to any email address.

Proof of concept:

1. We allow registered users send emails.
2. Someone (eg. Bob) creates new account with another person’s email (e.g Alice’s email). Alice receives account creation confirmation but she ignores it (because she did not even entered our site).
3. Bob (or anyone with activated account) can send Alice emails through our site. Including spam.

So our server is now (some kind of…) open relay.

Vendor have been notified (12.02.2006, 00:51 am). My patch for this vulnerability:
http://www.kozik.net.pl/projekty/mybb/1.2/005_spam_email_send2_unactivated.bug.diff