You can write it in PHP and then make a few links to it (filesysstem symlinks, like with ln -s) and call then formmail.cgi and formmail.pl. I think you have to have FollowLinks on in your apche config. (or in your .htaccess if you have the proper AllowOverrides)

Thanks for the tip. Actually I worked out a simpler way... I created a cgi-bin since there wasn't one, empty except for an .htacess file denying all access. Then I created a custom 403 forbidden.html that was basically a javascript opening 3 new windows with 3 new pages opening the same ad infinitum all larger than monitor size with the top bars off screen.
Ordinarily I'd never do something like this, but when the only purpose for the request is for an attempted spam relay...

They're not going to see the thousands of pages.

They're running bots that preload the fields or the query string in a POST or a GET respectively. If they get the email back, they know there's a spammable formmail.cgi there.

Since you're going to 403 it, the bots won't run the script, all that they'll see is a 403 error and move on.

[added]
of course, if your host will let you get away with it, what could you do is to write an actual FormMail.cgi script that takes the parameters and sends 100000 1 byte emails back to the recipient, and one to you, telling you it's time to delete the script.

re: added As lovely as that sounds using an if < 1000,000,000
I couldn't do it.

Any other ideas?

Idea number 2. (Will take some good programming skills)

You have the IP address. Write the script formmail.cgi that does a whois lookup. - Can you determine the ISP? If so, then send the Request and the query string to abuse@theisp along with an explanation (in case they don't know already).

Else, limit yourself to yahoo, aol, and hotmail. If the recipient is one of those, send to abuse@thosespamtypes.com

None of the above? just exit.

Just a suggestion.

strangely reminiscent of the Apache::CodeRed module:
[onlamp.com...]

Thanks, but ... My host has a very heavy handed prohibition against any script named formmail.pl ¦ .cgi insecure from anywhere but your domain. I'll pass this along to them as an idea.

Just in case you're thinking along these lines, there is another possibility, not as effective as the link that amoore mentioned, but could work nonetheless. (And I put this out just kinda thinking that one of the coders here will have a brainstorm idea and maybe put it to actual use to stop this BS).

If you have access to your raw logs, you still have most of the same information at the time the script was posted. (You won't need a formmail.pl on your server for this). So you can obtain the IP address, the QUERY_STRING, the actual GET request, etc. Maybe a CRON-TAB job each day to look at the logs and grab the requests for any form of formmail.pl, .cgi, etc. The downside is that you won't have the query string in a POST request, which I'm seeing more of. But in the case of a GET, you could extract the 'recipient' field, and that is the intended target of the email to let them know that the site is vulnerable. (Note that the 'recipient' field is well known to the spammers, and that's what gets put in the query string so they get an email back as a notification - you just kind of have to know how that script works).

Just a good Netizen thing, maybe someone will attempt like the Code Red link amoore suggested.

I hacked up a mod_perl module based on Apache::CodeRed to listen for probes to formmail scripts and report them to the authorities.
[mooresystems.com...]
I haven't tested it at all really, but hopefully it will give someone a place to start for this type of solution. If you have any questions or anything about it, please let me know.

I figure that as long as you're going to be spending cycles on some reaction to a formmail probe, you might as well report the activity to the approtriate security department.