- don't call it 'formmail' to avoid the CGI scanners.
- use .htaccess or something to restrict the script to
the IP's you want to have access.
- check the referrer to ensure the visitor came from one of your pages. (can be faked as well)
- yes there are that many evildoers. i have a handfull of /24's that have *never* been allocated to a host. i forward them to an IDS and block several scores of evildoers every day.
if you log and disect the numbers you'll learn to tell whether they're spoofing, how far away they are,
what type of zombie they've been comprimised with, etc.
i truly miss the internet of the late 80's. such a
nicer place...