WiiConnect24 Mail is surprisingly secure when it's used in the default Nintendo configuration. Flowcharts of how the service works are below, courtesy of RiiConnect24, from their flowcharts repository (https://github.com/RiiConnect24/Flowcharts).
RiiConnect24 has open-sourced their mail scripts here. (https://github.com/RiiConnect24/Mail-Go)
Check is how the Wii checks to see if any mail is available; if mail.flag is set to 0, the Wii will not check for mail from receive.
The Wii first sends:
POST /cgi-bin/check.cgi HTTP/1.1
ID is the user's mlchkid, stored in nwc24msg.cfg, which is given by account.cgi to correlate with the Wii FC. The server then responds with:
If flag != 0, the Wii will proceed to do a receive check.
res is a SHA1 HMAC of some description against the challenge. We do not yet know how this works.
Send handles processing of mail from Wii to database (or email server); this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg:
POST /cgi-bin/send.cgi HTTP/1.1
Host: rc24.xyz User-Agent: WiiConnect24/22.214.171.124
Content-Type: multipart/form-data; boundary=t9Sf4yfjf1RtvDu3AA
Content-Disposition: form-data; name="mlid"
Content-Disposition: form-data; name="m1"
Content-Disposition: form-data; name="m2" [You get the picture] --t9Sf4yfjf1RtvDu3AA--
The server then responds:
[NUMBER] is the highest mail number (i.e. the total amount of mails sent) -1
Receive sends Wii mail from database/email to Wii; this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg
The Wii sends
POST /cgi-bin/receive.cgi HTTP/1.1
And the server will respond with all mail for that user (I have not yet dumped this, someone needs to do a packet dump) in a certain format.
After Wii mail is received, the Wii will inform the server to delete the mail; this script is passed the mlid (w[WII-ID]) and passwd, referenced in nwc24msg.cfg