That code looks quite scary. No traces of use strict, taint mode not enabled, incomplete manual decoding of CGI parameters (instead of using one of the CGI modules), lots of error checks missing (read, flock), invoking sendmail with unverified parameters, using a single string instead of using the "secure pipe open" technique or using a perl-based mailer (the old but working MIME::Lite, the modern but more complex Email::Sender, ...) instead of sendmail

The last problem makes the webserver vulnerable: Just imagine what happens when someone submits a form with the email value set to bla@bla.bla;uname -a;ls /;cat /etc/passwd.

Alexander