or alternatively look for an alternative in PHP, seems there are less exploits (I heard of)
On servers I co manage, all FormMail scripts are forbidden and locked, no way to use. We had to many misery with it.
make your choice (include the htt & ww in the beginning, I don't have enough posts seems to give a link, crazy thing )
Well, with PHP formmail scripts, there's no risk of software bugs that allow command-line injection or that allow Cc lines to be tacked on to the end of the subject variable. Still no guarantee that the author knows what they're doing, though.
The problem is that if you allow customers to run CGI scripts, they'll happily go ahead and install a five-year old version of Matt's buggy formmail program, instead of using the nice secure version that's already on the server. The best approach is to proactively search your servers for vulnerable versions.