This file should execute once it is requested. That is, they should not be able to see the .pl file contents as if it's being edited, it should run and output whatever it outputs. (more to this story below.)
As for your directories, DEFINITELY insure that directory browsing is not allowed. To test this, browse to any directory on your site:
You should see the message "Directory Browsing Denied" (or not allowed.) If you see all your files, this is not good - you have two solutions:
1. Get your web host to configure the domain so directory browsing is not allowed.
2. Place an index.html file in EVERY directory. With the proper domain set up, for the above URL, they will see your file, not the directory contents.
For your .pl files, as I said, it's not that someone can get to the files - it's what they do when they get there that you need to be concerned about. Securing perl scripts is a long topic, but one I will sum up with Selena Sol's comment from 1995 or so:
Every user input is a potential hack.
So the first point of concern for any script is to cleanse any input and disallow anything but EXACTLY what it should receive. Many think, "well, it's not on the form, so they can't send it anything else." But don't forget, I can send ANYTHING to a script via command line or web request:
This is especially true of mailer scripts, the largest target of hackers/spammers. If your "data" is via any type of online database, securing your scripts - from within, in the programming - is even more important.
Second, if these .pl files are not MEANT to be accessed from the web, as in an included perl library, you can follow the advice here [webmasterworld.com].
Some relevant searches: "script security", "sql injection", "email injection."