Autoresponders in the modern email world
Given modern email, one may sensibly ask what the role of various sorts of autoresponders and other 'do things by email' things are. The simple answer is that they have no role; they cannot send email to people who have not asked for it, plus pragmatically, most of the email that they get will have forged sender information and be invalid.
Well, sort of, because the statement of the limitations also shows how you can get around them. There are two general approaches.
First, you can simply make your system never send email. Everything that it would previously have sent email for must be checked and handled at SMTP time and produce SMTP rejections, so instead of an email to tell you that your bug report wasn't formatted right, you get a SMTP rejection to that effect. This obviously only works for 'do things by email' systems that don't need to email people as a routine matter.
The second is that if you can only send email to people who have specifically asked for it, you simply need to have your system only accept email from people who have registered their email addresses with you. Since you can't send bounces, you have to do this check at SMTP time and refuse messages that don't pass it.
(This may still give the malicious a way to harass your users, but at a minimum it insures that you are not sending backscatter to random forged addresses. It follows that you should allow your users to opt out of this, so that if the malicious do start trying to harass them through this they can easily cut the email off.)
These two approaches can of course be combined; you might send friendly error messages by email only to registered users and do SMTP-time rejection for everyone else, for example.
(It is worth mentioning one bad combination explicitly: no matter how tempting it seems, you cannot send email to an email address just because it has submitted a validly formatted request.)
These are pretty strong rules, but I feel that they're what's necessary in a modern email environment.