I used to write this printserver software
As an ex-print server developer, I can throw in a few comments here...
* If the print server is attached to a publicly accessible IP Address, then anyone can spam it. Just hope the printer understands the print job (i.e. don't send PCL5 printouts to a PostScript printer or vice-versa)
Could attempt to access the built in webserver and it's configuration page. This would then tell you the correct printer drivers to use. (This would need a human involved to read it)
But - why on earth would a sane company have a printer accessible to the outside world? That is just asking for trouble. I know - because we used to spam printers from our office "just for the laugh" back in the 90's. I remember hitting printers at Microsoft and The White House!! And being shocked by the lack of security to stop us (or even track us)
Also, the spammers are going to have to do a lot of "setup" this way... and only know if they get it right if they can watch "page counts" go up correctly after the send their spam. Far too much effort....
* If the printer is on a properly secured/firewalled internal network, then it can only be spammed from inside the company. Still untraceable, but will now need to have a PC compromised first before it can fire out that "spam".
For the cross site scripting thing to work, the hacker still needs the IP Address of the printer. So ends up with some form of brute force scanning for it.....
It also is going to have to rely on some stoopid employee to be looking at compromised sites... oh yeah - we are talking users... so highly likely!!
Now not being a web programmer, I don't understand WHY the browser should be allowed access to a printer via Javascript. Especially when one studies the method used - this is http'ing to the printer port....
hxxp://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf
Not much that can really be done to stop this at the printserver though. The Direct Printing Protocol to port 9100 has no way of authenticating. No way of "checking" for legitimate print jobs. No way of adding a password to the printserver.
And no point in adding the password if the print job is being sent from a PC within the office anyway....
But why be worried about printers? Worse case, loss of paper and toner. I'd be much more worried about those door entry systems, finger print readers, etc. I know the company I used to work for was AWFUL for the security of these things. Basically shipping out "working betas" to secure banks!! NO security on the firmware update side. Horrendous!! And guess how the firmware was updated? Yep.... "printed" in through port 9100!!
(Now FIRMWARE compromises... that is an interesting one... imagine if someone managed to reverse engineer the firmware for the printserver... and added their own network sniffing code into it... then sneaked that back onto the printer. NOW we have a serious security risk without anyone being any the wiser....)