The ESPs that process mail, such as xp_findnextmsg, xp_readmail, xp_sendmail, and xp_deletemail, are database objects owned by the System Administrator.
Limit execution permission of these procedures to users with the sa_role or to a very small group of users to prevent unauthorized users from accessing Sybmail to execute queries that they would normally not be able to execute.
