As far as I can see his only point was that this incredibly ill-conceived feature can be disabled if only people read the documentation, which is not very reassuring to me.

Wordpress defaults to requiring moderation. I don’t know if it is even possible to make it as silly as the e107 setup I found being used to send out spam, and I have no desire to invest time in finding out.

I also have not had the same level of grief with Wordpress as I have with e107 thus far. Nor many other types of software that my users install. e107 has proven exceptional in this regard, so I will continue to recommend that people not touch it with a barge pole.

Rather than arguing back and forth on my blog about how e107 stacks up against Wordpress, how about you people spend the time making sure there are no more “features” like this email thing which will cause administrators like me to find old unmaintained installs of your software spewing out spam. That might be more productive for you since as far as e107 goes I am a lost cause both as an advocate and a prospective user.

I assume (though I could be wrong) that the option to moderate comments on this type of blog is set by the person owning the blog (in this case you). If I am correct and someone doesn’t set it to moderate, does it then make it a stupid option because they can receive tons of spam due to the input of arbitrary email address coupled with arbitrary text?

No it is not your responsibility to manage every single web app your users use, but it is also not up to you to recommend people stay away from a decent app because of options you don’t like and a list of vulnerabilities found with a google search that were fixed before you made the first post of this topic.

It would be the same as someone finding an old exploit on your site that was taken care of but them using it as a reason to advise everyone avoid your services with a barge pole. Unprofessional at the very least.

It isn’t my responsiblity to have to learn how to manage every single web app my users may install just to prevent security breaches and spamming of third parties. There are not enough hours in the day and if that is your best suggestion then I would only be forced to ban use of any non-vetted package.

If you want to argue that 100% of the e107 installations I have found so far have been managed by users with poor judgement who failed to keep their software up to date then that is a line of argument I would be more willing to accept.

However the email feature concerned is extremely silly and should never have even been contemplated.

I don’t believe that the scenario you described would be possible with this blog, as all the comments need to be moderated by myself before they are posted.

Thus, someone would have to add a comment with a fake email address, and then add the spam comments too (without akismet catching them), and I would need to approve all of them, or else they would all have to be submitted by registered users of this site.

Further,
The option to email a news item (to an arbitrary email address) with additional text is no more stupid than this blog where followup comments can be sent (to an arbitrary email address). This too could be used to send spam. Just imagine if someone found your email address, put it in the mail box above where the comments are entered, entered something like this blog sucks then subbmitted the same thing a hundred times, you would receive 100 emails telling you this blog sucks. See my point?