We are using the Domain Mapping plugin and one of our client showed us smth interesting recently:
Imagine that the main (net) site is site.ru. We are using subdomains which are automatically given to clients, so 1.site.ru, 2.site.ru, ect. Usually people map their domains (if they have any) like MyOwnDomain.ru. But one of our clients mapped smth.site.ru. So he mapped our subdomain, free but our - not client's one.
We are asking you to add a checkbox in the settings of the plugin which allow or disallow such thing for clients. We would prefer to disallow this feature now.
Also I would like to ask to add two fields: 1 - for prohibited subdomain (which we do not like our clients use), 2 - the domains which also could be blocked to use (sor example: our domain is site.ru but we we also has a mirror sEte.ru and do not like our clients use smth.sEte.ru).
I hope our clients do not discover this hacking feature until you add the checkbox.
And PLS - write about the checkbox in the changelog of the plugin to let us know about adding it (we always read changelogs when update plugins).
P.S.- I am not authorised to give access, sorry. But I am sure that you can test this at any your WP MU site (which uses subdomains, not subdirectories).