Sorry if my sarcasm wasn't obvious. I don't agree with Metzger; I think
Metzger is an idiot.
b) Malicious user gets his copy, and sends you *directly* something altered,
but with the same message-id.
A different attack, less commonly exploitable but much more reliable, is
in the following situation:
To: attacker(_at_)host(_dot_)edu, mailing-list(_at_)host(_dot_)edu
If both isp.net and host.edu are running sendmail, the attacker can run
a program that sends a prepared message to mailing-list, copying your
Message-ID, and then pauses for a few seconds.
Set up a new mailing list in a single command. http://pobox.com/~djb/ezmlm.html