From the Movable Type web site:
Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions which allows malicious users to send email through the application to any number of arbitrary users.
All users should install this update.
This release fixes a nasty bug where a malicious user can (among other things) post a comment to an MT weblog and cause comment notification e-mails to be sent to any number of recipients they choose.
As noted above, the bug is present in all versions of MT - all 3.x as well as 2.x versions. To secure your MT installation, you can either 1) upgrade to MT v3.15, or 2) install the newly-released plugin (patch-20050124-mail-spam.pl). The plugin will correct the vulnerability in MT 3.x installations prior to MT v3.15 as well as MT 2.661 (the plugin has not been tested on MT 2.x versions other than MT 2.661).
Spammers are already exploiting this flaw on MT weblogs, so it is very important to upgrade to MT v3.15 or install the new plugin as soon as possible.
Special thanks to Six Apart for their quick action on this issue. Total time from reporting of flaw to release of fix: 48 hours. (I know this because I reported the flaw.) Considering the flaw was reported on a Saturday night, this was an excellent response by the Six Apart team!
Update 26 Jan 2005: Total Choice Hosting (TCH) installed the plugin yesterday on all MT installations across all TCH servers to proactively protect their customers.