I now added a PHP wrapper around formmail.php which does the following additional sanity checks:

- Must be a POST request
- Referrer can be empty but if set must match our domain
- Check that all hidden fields used on my site are set (eg subject, required, good_url, bad_url, derive_fields and mail_options)
- Check that the number of POST parameters is at least 2 + number of above hidden fields (eg 8) as my forms have always at least two controls

This should get rid of those "direct post spammers" who don't go through the effort of parsing the form (I checked the server log files and they use a simple POST directly to formmail.php)

Would be nice if that could go into a FormMail ini file one day. But hey FormMail is great as it is.