SQL Server's e-mail stored procedures can provide a means for an attacker to submit queries and receive the results from an anonymous account. This affects the audit trail and could prevent tracing.
xp_deletemail: Deletes an e-mail from SQL Server's inbox.
xp_findnextmsg: Receives a message ID and returns the message ID of the next mail in SQL Server's inbox.
xp_readmail: Used to either view the inbox or a specific mail.
xp_sendmail: Sends an e-mail, together with an optional resultset.
xp_startmail: Used to start a SQL Mail client session.
xp_stopmail: Used to end a SQL Mail client session.