It's highly doubtful that an extension would change get.php. This file is used to retrieve media files stored in the database as BLOB objects, not for sending email.
It's more likely that due to extremely delayed installation of the SUPEE-5994 patch, someone has hacked this site to turn it into a spam relay.