i found this crazy function to check email
<?
function validEmail($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{¦}~-][A-Za-z0-9!#$%&'*+/=?^_`{¦}~\.-]{0,63})¦(\"[^(\\¦\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])¦([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}
?>
hmm i wonder if this is any better than just searching for the pattern below. both seems to work ok

"/^[a-zA-Z0-9._+-]+@{1}+[a-zA-Z0-9-_]{2,}+\.+[a-zA-Z]{2,4}+$/"

Something I collected, unfortunately can't give credit to the originator
<<<<
// bcc and cc are the worst, but let's be thorough

// strposs() looks for the terms included in the top array

$header_injection_attempts = array(
"bcc:",
"cc:",
"to:",
"content-type:",
"mime-version:",
"multipart/mixed",
"content-transfer-encoding:",
".EXE",
".exe"
);
// lowercase the email
$email_body_lower = strtolower($email_body);
// innocent until proven guilty
$injection_attempted = false;
foreach($header_injection_attempts as $attempt){
// check the email for each possible attempt
if(strpos($email_body_lower, $attempt)!==false){
// we found something bad being attempted
$injection_attempted = true;
// get out of the loop
break;
}
}
if($injection_attempted){
// log the error, and visitor IP
// don't send the email
} else {
// send the email
mail(....);
}

This addresses your #2 concern
I use it often
<<<<
<?php // FIRST FUNCTION
// Function to check whether a given hostName is a valid email
// domain address.
function myCheckDNSRR($hostName, $recType = '')
{
if(!empty($hostName)) {
if( $recType == '' ) $recType = "MX";
exec("nslookup -type=$recType $hostName", $result);
// check each line to find the one that starts with the host
// name. If it exists then the function succeeded.
foreach ($result as $line) {
if(eregi("^$hostName",$line)) {
return true;
}
}
// otherwise there was no mail handler for the domain
return false;
}
return false;
}
?>

<?
function validate_email($email)
{
// Create the syntactical validation regular expression
$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";

// Presume that the email is invalid
$valid = 0;

// Validate the syntax
if (eregi($regexp, $email))
{
list($username,$domaintld) = split("@",$email);
// Validate the domain
if (getmxrr($domaintld,$mxrecords))
$valid = 1;
} else {
$valid = 0;
}

return $valid;

}

/* Usage:
if(validate_email($_POST['email'])) {
email is valid...
} else {
email not valid..
}*/

?>
>>>>>>

#1, a more solid regex is:

/^(([A-Za-z0-9]+_+)¦([A-Za-z0-9]+\-+)¦([A-Za-z0-9]+\.+)¦([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)¦(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$/i

#2, you are correct that some hosts block this and render this check essentially useless. The only way to confirm 100% is to send a confirmation e-mail.

#3, @henry_o's first bit of code (dealing with cc: and bcc:) are all I have ever needed to use.