A team I worked with had to deal with the issue of our form mailer being used for spam. We took the approach of md5 summing the addresses in the HTML page with some data only known on the web server and verifying the md5 sum of the to address when the form was posted. This allowed the HTML authors to use whatever to addresses they wanted to, and us to only maintain a single form mailer CGI. The mailer warns you about potential exploit attempts, and provided us with some interesting results.

If anyone is interested, code based on the techniques from the earlier work is available here:

http://www.bgw.org/projects/perl/mailer.cgi.txt

Kyle