As long as content is authored by the administrator of the server, I don't see where there is a security issue.

It's like if you point to your own Apache server in your own domain where you host a scam page and say there's a security issue with Apache because you could do that.

Or are you saying that you can make this person's server serve third-party content?

> Or are you saying that you can make this person's server serve third-party content?

Http: yes see OP

Email: not sure. Hopefully not. But spoofing happens.