You can add a CAPTCHA field for human verification, and validate the email address to make sure there's no additional headers sent with it.

This is a regular expression that will make sure you have a valid email:
'/^[_a-z0-9-]+((\.¦\+)[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/i' using preg_match.

Note to eelixduppy the reason I left the original domain addresses in the OP was to show that they were not real sites, but just random letters followed by .com

Thanx but a CAPTCHA is not something I want.

The message in the form comment box always contains links to garbage domains E.G. xyjjxyxyjjxy .com this is what make me think that someone is probing the script possibly by trying to add headers so they could use it to spam.

So is their a way I can test it for security

Since you seem to be using a phone number as a single field, you might try multiplying that number by 1, and then dumping the post if the result is zero. Multiplying by one should convert the result to a number, and if he is including letters, like this, it is a sure sign someone is up to no good.
You might also restrict your fields to a maximum size in the form.

Anyway, never accept any data direct. Always validate it every way you can before it gets past the first step.

I would do a regexp check for the phone number as opposed to multiplying by 1, because people often use -'s or spaces between the numbers. I do think that it is a good idea to check the phone number, though, because that is the one field that you have a strong idea of what it should look like.

^(?:\([2-9]\d{2}\)\ ?¦[2-9]\d{2}(?:\-?¦\ ?))[2-9]\d{2}[- ]?\d{4}$

should do a relatively reliable check. The following formats will work: 5305551212, (530) 555-1212, 530-555-1212

Source: [regexlib.com...]

Anyway, I do think the the major lesson learned here is never take anything from a user that you don't run through some sort of check.

I think it was talked of in another topic here, but all your form fields should have a max length value, and that is as small as you can make it. Folks in India and Thailand have long names sometime, but even there I think anything 25 characters is the absolute outer limit. If you don't specify a length, the default is 255 characters. And you can sneak a lot of damaging java code in 255 characters. the <javascript></javascript> tags take up 27 characters just by themselves. The kind of people haunting the web these days, paranoia is just the key to good health.

Captchas are a bad thing to use unless you want to turn visitors away and html limits for the input elements won't do much since the form is likely posted by a bot. Jscripts will bring the same results as html.

Instead, deploy some css with one or more hidden and visible html elements to verify human presence. During form processing on the server end, that includes regular fields validation, you could also check the "details" field, especially if you do not expect links with the form. That's one of the things the spammer hopes for. To somehow propagate a link to the dbase or to send it via email.

As of the other headers (cc, bcc) you should check the input form fields for line breaks like \r \n, they are used by spammers to deploy additional headers. How the form is processed is critical, but once you get rid of the bot factor things are much simpler.