I would agree that you need a little more security. I don't have a script handy, but I did find a couple of very useful resources that explain the exploits and how to prevent them.

The first is the user comments section of the PHP Mail Functions [us3.php.net]

The second [securephp.damonkohler.com] is a much more detailed look at the problem.

This is venturing off topic.. but
You might also want to consider installing some sort of trap to capture direct requests to your mail functions on the server. This involves a few lines of code in your .htaccess file and a perl script in your cgi-bin. Here's what I have in my .htaccess which calls the script, trap.pl.

RewriteEngine on

RewriteCond %{REQUEST_URI} ^/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} (mail.?form圩orm圩orm.?mail妃ail妃ailto)\.(cgi圯xe如l)$ [NC]
RewriteRule .* /cgi-bin/trap.pl [L]

That pretty much captures any request to any mail function on my server. If such a request is made, that visitor gets redirected to trap.pl, which sets a permanent ban on the rascal.

The latest version of trap.pl can be found here [webmasterworld.com].

I'm sure we would be happy to help you get you mail secured. In the meantime, I would suggest that you comment this line until you have resolved the problem.
//mail($to,$subject,$body,$headers);

Happy reading.

[edited by: grandpa at 11:49 am (utc) on Nov. 7, 2005]

You need to validate and/or sanitize the incoming data. In particular, remove any new line or carriage return characters (*) from $email, as these could be used to inject a BCC mail header.

Google "email injection" for further details.

(*)
$email = str_replace(array("\n", "\r"), "", $email);