is the bar too low?
if it's possible to build an HTTP Resource that allows clients to compose and send an email message using the common media-types (
text/xml, application/json, application/x-www-form-urlencoded, text/plain), that opens things up for abuse, right? more than the SMTP service itself? maybe. proly not. i mean if you can script a HTTP client, you can script an SMTP client, right? also, just as there are cases where you want to secure your SMTP service against abuse (require logins, limit IP, etc.) you can do much the same with the HTTP service (require HTTP Auth, control the TO or even the FROM elements via XSLT inspection, etc.).
maybe there needs to be some extra steps in the process. for example, a client can implment a CAPTCHA element to slow abuse. or the process could be drawn out a bit more by treating it in multiple stages: 1) client does POST to get token-url from server; 2)client does POST of email to token-url. the token-url could a disposable and of limited lifetime. but this is all icing, right? a simple HTTP Auth prevents all of this.
i think it's OK. but i need to think about it some more.