this is an update to an earlier bug report (#10292) consider an email with sender's adress like: <"blabla 0 touch /bin/I_was_here "@somewhere.org> no consider "somewhere.org" gets its mail via UUCP. in the uucp queue the "rmail" command will replaced by the "touch" command the attacker submitted. Of course this is only an issue if the uucp-system on the receiving end had "ALL" commands allowed to be executed via uucp (which is silly at best). Anyway I think it is not very nice. as you don't want to touch uucp itself, maybe a sendmail ruleset will do which denies email with whitespace in the adress name to be relayed to uucp queues ..!
moving this bug to #54466, which addresses the last errata relating to this fix