I forgot to address part of your question, and wanted to make sure I did. First, you can't validate the referer field. It is set by the client and could easily be forged to the correct value.

Taint checking is not a cure-all. It won't keep your program from doing insecure things if your program is designed to do insecure things (like acting as an open relay). It will keep you from accidentally sending user data to the shell or a system process where it can cause a lot of damage-- but it is limited by the logic you use to detaint input.

If formmail.pl were truly an open gate to rooting a box, then why hasn't it been done on a large scale? The script is everywhere on low-cost hosting services, and has been around a while. We'd forget all about IIS and Outlook for a while, I'd think...