Possibility of sending SPAM through Feedback modules

This morning I recieved withing 5 minutes in my mail box several feedbacks from my site. The actual version I use is

//$Id: feedback.module,v 1.41 2005/07/27 16:14:06 kbahey Exp $

I think there is potential for spamming using this feedback form and need some guidance

here is the following message I received

-- The following message was sent using the feedback page --

Content-Type: multipart/mixed;
boundary="501fddf784b286815317e40814e057cb"
MIME-Version: 1.0
Subject: phltrxav
To: kyqydl@authentic-empowerment.net
bcc: battsl1005@aol.com
From: dzqkt@authentic-empowerment.net

This is a multi-part message in MIME format.

--501fddf784b286815317e40814e057cb
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

fdibwkaix
--501fddf784b286815317e40814e057cb--

----------------------------------
Site Name : Empowering your Authentic Self
Full Name : dzqkt@authentic-empowerment.net
E-mail address : dzqkt@authentic-empowerment.net
Referring page : dzqkt@authentic-empowerment.net
IP Address : http://whois.sc/69.44.152.166

I administer a hosting company and have been fighting SPAM using this technique for the last month or so. I keep a close eye on feedback scripts and on the first site of abuse I will not allow my clients to use the feedback script, period, done, no-more.

If I would have set the MTA to blackhole or fail the message I may not have ever saw it.

this was submitted from an anonymous user so he/she was able to enter a email address and falsify it by using my domain name. there is no such referring page unless drupal created it at time of feedback submission.

The To: header is directed back to my site as these guys probably realize the majority of MTA's are set to blackhole or fail messages without a proper address or email account.. Don't really have a problem here

It's the blind copy "bcc: " that I believe could be a major hassle. This needs to be removed. I've looked at the script but can not find where it is located.

I know a regex expression can catch this and eliminate it. If this function was in place then spammers would have one less possible feedback form to use to send spam. I also think a extra check should be in place so that a anonymous user could not use the site domain name as part of thier email address and that the only place emails could be sent would be to the site administrator.

If this is not a problem then I request this possible bug entry be remove and appologize for thating up your time. I have not check the server logs to verify in fact this is a problem but have disables the module until I am satisfied it can not send SPAM.