If you've ever gotten SPAM that started out as something like "here is the contents of your feedback form", followed by some spam, it's from a script like this.

Please do not deploy this script. Your server will be blackballed within hours of the first SPAM sent using it. Then good luck getting back on the good side of the blacklisters.

Additionally, I think this is based on a common script which has this flaw (is it Matt Wright's "mailform", or something like that?), so the following is a lie:

## Created by Aaron Anderson
## sulfericacid@qwest.net
[download]

-- Randal L. Schwartz, Perl hacker

There are many dangers inherent in rolling your own mail script. (Matt Wright managed to expose almost all of them, so you can search perlmonks and/or the web and newsgroups if you want excrutiating detail.)

merlyn correctly pointed out that your script is ripe for spam abuse. And don't think they won't use it.

First, there is a project called NMS that creates solid "simple" scripts like this that are audited by the community for security holes. I'd recommend looking there first in the future. In particular, look at their formmail script. The code is well documented, and it can prevent the spam relay concerns, as well as others.

Second, while you module makes use of the CGI module, you don't use any of the Mail::* modules. I recommend using a module for this sort of thing: It increases portability, and centralizes the functionality so it easy to upgrade security holes if/when they are discovered.

Third, you don't make use of taint checking. While all CGI scripts should arguably use taint checking, scripts that pass said data to other programs need it all the more.