In your mail system, you seem to assume that all recipients of an mail exists, however recipients are chosen by a client, and checked in JS at the sender, but what about if the send button handler is changed from javascript:onSend() to javascript:SendMessage, that way recipients are never checked, and might include illegal recipients, which (since you seem to be missing an exception in the inbox), generates an unhandled exception, temporally paralizing the mailbox of that user.

When sending a message two posts are done, one to check recipients (javascript:ValidateRecipients()), and one to send the message itself (javascript:SendMessage()), this could have been accomplished by a single post in javascript:sendMessage, since most of the time recipients are correct. Changing this increases the speed in which the code is executed on the client side, (less waiting for server, less code executed), minimizes pressure on the servers (fewer packages sent), and also fixes a couple of security holesv(actually it makes it more difficult to abuse, since you would end up with several lines of javascript) since sending messages is reduced to a single function.

In it's' mail system, HTML is used to format mails, defining images, links, fonts and more, however HTML also enpowers abusers to do things that the system shouldn't allow, such as using img against log_out.aspx or index.aspx (does the same thing when GETed without arguments), or even /, I threrefore suggest that you create a special language, in which the number of structures/functions/possibilities are reduced, making it more difficult to abuse.