Correct: the attack here is:
Take big Site with thousands of user, many using thier (sorta) "real names".
Permute these names with some known big email provider hostnames.
Send them all some spam.
It does not really matter if 90% of those emailadresses are incorrect, the rest will hit.
I would not do the MD5 validation thing, why should I?