The biggest problem with using the canned DH formmail is that it requires you to expose certain elements in your web page, namely the recipient email – and a hidden INPUT is not going to deter somebody serious about an attack, nor a robot gathering email addresses form spam (what I’m hoping to prevent in the first place. Using a “custom” formmail let’s me control the email process a bit more to my satisfaction.
Perhaps part of the solution is, as you suggest, to remove the reference to Jack’s Formmail – it’s mainly the author’s request that you link back to him in some way as a courtesy.
The logged useragent is, I’m sure, hacked, which I know is easy enough to do with Lynx or Opera; the IE useragent text has always, to my knowledge, stopped after the operating system description (e.g., my IE has never displayed anything about .NET CLR)
Perhaps there’s a way to restrict access to formmail.php so that only the local comments.html can call it? Maybe via .htaccess ?