Formmail in particular is a nasty critter, as described here. The problem is that the recipient's address is just a hidden field in the form. Hence, anybody can use your mail server to send eemail just anywhere. Many spammers have abused this, and likely many still do.

I can only hope that NMS plugs that hole... I'm virtually certain they did. Well... see the use of the variable @allow_mail_to in the script source. That's what it's for.