This is a php script on a clients site to process their forms to send email: PHP: <? $adminaddress = $HTTP_POST_VARS['sendemail'] ; $siteaddress ="http://www.test.com"; $sitename = "test"; //No need to change anything below ... // Gets the date and time from your server $date = date("m/d/Y H:i:s"); // Gets the POST Headers - the Flash variables $email = $HTTP_POST_VARS['email'] ; $name = $HTTP_POST_VARS['name'] ; $comments = $HTTP_POST_VARS['message'] ; $subject = $HTTP_POST_VARS['subject'] ; $phone = $HTTP_POST_VARS['phone'] ; //$city = $HTTP_POST_VARS['city'] ; //$edate = $HTTP_POST_VARS['date'] ; //Process the form data! // and send the information collected in the Flash form to Your nominated email address mail("$email", "$siteaddress-Confirmation Email", "We have received your form successfully. We will contact you soon. Thank you.", "From: $adminaddress", "-f $adminaddress"); mail ("$adminaddress","$sitename - $subject", "A visitor at $sitename has left the following information\n Name: $name Subject: $subject Email: $email The visitor commented: ------------------------------ $comments ","From: $email", "-f $email") ?> Wouldn't this script be vulnerable to spammers that could easily send a "post" to that file with any email address they want? I am pretty good with php and believe that this script is vulnerable, but since the script is used by a pretty large design firm, I want to make sure before I take it up with them.