Hi you appear to be using cgi-lib.pl to parse your input which is outdated, you will find CGI more reliable. Anyway a stepwise approach is in order to debug.

1) Check your sendmail routine works:

my $to      = 'me@my_email.com';
my $from    = 'nobody@nowhere.com';
my $subject = 'test message';
my $body    = 'message body';

sendmail($to,$from,$subject,$body) or err_trap("Sendmail Choked");
[download]

Having proven that your sendmail routine works check to see that your script is getting the input you expect, Data::Dumper is a handy way to output the entire %in hash:

use Data::Dumper;
$email= $in{'EMAIL'};
$mserv= $in{'ELIST'};
print "Content-type: text/html\n\n<pre>\n";
print Dumper \%in;
print '</pre>';
exit;
[download]

If that does not reveal the problem then it may be that your ISP's domain (sendmail is using this in the headers) may be on your target mail recipients spam haven list and has been banned.....

One reason that domains get banned is because people (like you) write insecure scripts (like yours). The 'hidden' field for the to address lets me use your CGI to send mail to anyone@anywhere.com with a from address of spammer@someones.open.gateway.com

As it happens I know your sendmail routine works because I spammed myself with a test message simply by typing this into my browser address bar (of course I could have used LWP and sent 1,000,000 messages killing your mail server and flooding my enemies)

http://www.afoto.com/cgi-bin/boo/amail.cgi?ELIST=jfreeman@tassie.net.a
+u&EMAIL=nobody@nowhere.com
[download]

You must 'hard code' the to address in your script. If you want to deliver to lots of addresses you should store them in a data structure and use 'ELIST' to select the desired address, that way the only available target addresses are yours....

Update

Your mail server is using anonymous as its return path which may well be the problem. Here are the headers from my test spam via your script:

Return-Path: <anonymous@hercules.dns-solutions.net>
Received: from hercules.dns-solutions.net (hercules.dns-solutions.net 
+[209.66.124.56])
    by perseus.tassie.net.au (8.12.6/8.12.6/RG2.3) with SMTP id gA60ux
+p7000438
    for <jfreeman@tassie.net.au>; Wed, 6 Nov 2002 11:57:00 +1100 (EST)
Received: (qmail 3141 invoked by uid 441); 6 Nov 2002 00:56:59 -0000
Date: 6 Nov 2002 00:56:59 -0000
Message-ID: <20021106005659.3140.qmail@hercules.dns-solutions.net>
To: jfreeman@tassie.net.au
From: nobody@nowhere.com
Subject: subscribe
X-UIDL: Moa!!,#]!!9dU"!0[G!!
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Aj, aj, aj- I am blushing!
But really appreciate the lesson, still.
I put access to the $to variable in the form in order to find out if it would mail to myself, testing the sendmail mechanism.
But, in my testing frenzy the potential abuse did not occur to me. As soon as a upload finishes I'll take it out, and change the variable name. Will that be a bit safer then?
I'll try the header hypothesis, and check the parsing. I am using a modified version of the old "readparse." (Brenner's?)
Again, thanks. I feel some hope now (mixed with shame, fear, and trembling)

Dagfinn

Volda, Norway, where trolls dance on the telephonewires

Dear tachyon,
I was wondering why this <anonymous@hercules.dns-solutions.net> kept getting subscribed ...
So the mailinglistprogram grabs the Return-Path:, not the From: in making subscribers?

It's early morning in northwestern Norway, after a long night of trying to eff the ineffable. Maybe a workaround will come to me in tortured dreams, or maybe someone here will have pity and suggest something . . .
Or maybe it can't be done with a button on a form if the server's mailheader is that way?
ps. I have removed the offending <INPUT...>
-Dagfinn-

Volda, Norway, where trolls dance on the telephonewires

The mailing list program ezmlm does use the Return-Path from the mail as the address to subscribe and the one is sends the confirmation mail to. The Return-Path is the SMTP envelope sender set with the MAIL FROM command. You usually can't forge this on Unix machines when going through the sendmail process. You can set this when talking directly to the SMTP server but many SMTP servers have limitations on what address they accept. If you are talking to your own mail server, you can configure it to accept these messages but make sure you don't allow your mail server to become a spam relay.

I would argue that ezmlm's behavior is wrong. It should use the From: header to determine the address to subscribe. Its behavior inhibits what you are trying to do of generating a subscription message on behalf of someone else. By forging the Return-Path all bounces messages will go to the user. They really should go to an address that you look at. It doesn't provide any extra security from forgery or spam because the return-path is as easy to forge as the From: header.

You probably don't have any choice in which mailing list program you are using. If you have control of the mailing list, you might want to check if there is some way you can change this behavior. Or if there is some way to access the subscription process.

1. the various MIME/Email RFCs require that there be a blank line between the last header, and the body of the email. When you send a "manual" subscription request, your sending mail client is most certainly doing "the right thing". When you pass a "normal email address" to your CGI, your recieving mail client is probably being very forgiving and parsing the msg even without that blank line. Your mailing list software is probably not as forgiving.
2. This is why you should use modules.
3. Please don't put this CGI any where on the Internet without seriously re-writting it. putting the "to" address in a HIDDEN form variable may seem like a good idea from a maintenance perspective, but it will just turn your site into a massive spam relay, allowing people to write scripts to use your CGI as a starting point for email to any address without any accountability as to where it orriginated from. Even if $body is something hard coded into your script, that the CGI user can't change, they can still use your script to flood someone's inbox -- and you're the one that people will go after when it happens.