I can speak only to more recent versions of formmail.pl which, as written, can trivially be caused to fail. Any point of failure is a likely vulnerability-- but none that I could specifically find when I looked at formmail.pl (and none that anyone here in several discussions has been willing to state out loud-- even just saying something like "it has a null string problem" or "there is a buffer overflow issue").

My conclusion (which is not that of a known security expert, or even adept cracker) is that the current version is undesirable for many reasons, the main one being its likelihood to fail. The last version, however, your CGI script was essentially an open mail relay, since the form submitted by the user was trusted to contain the correct email address to which to send the email. Most recent discussion on securityfocus.com of a formmail exploit -- again, this exploit does not work against the newest version of formmail.pl.

But back to the original question there does appear to be a tool which checks for potential vulnerabilities like having formmail installed. sample log from a survey by that tool posted at securityfocus.com. Note that the tool is checking for all sorts of misconfigurations and scripts known to have (or have had) vulnerabilities.I link to that discussion not because I think it is ethical to use such tools on remote systems under any circumstances (i.e. no matter the legality, I feel this sort of thing is akin to walking through neighborhoods checking for unlocked doors-- just don't do it), but because the logs posted are educational with respect to many potential vulnerabilities any of us doing web work might encounter.