No, the drop down link was not there.
This spam outfit obviously knew about the exploit. They were NOT logged in, nor had they ever registered.
They simply used the same URL each time:
Content visible to verified customers only.
Which worked for them to send hundreds of spam emails while NOT logged in until I commented out code in misc.php. Now they'll get a white screen.
The other thing about this exploit was that HUNDREDS of email addresses could be placed in the To: line.
inetnum: 188.8.131.52 - 184.108.40.206
descr: 322367987_Edago Dexter Cyberzone Co.