Yeah, definitely don’t want malicious e-mails. But that’s why I asked about authentication - if the smtp server requires a user/password, that would thwart the obvious issues. If it doesn’t, then you would get user info via scripting or a client tag, and not let the user have the “from” option.