If he created a full normal account, then the only way is:
- limit the number of messages send (like disabling send msg to all and set up also a msg anti-flooding system)
- filtering msg with words

Other options would be:
- only allow send to all to your old members

no, there is not a "send to all" function
and i can't aply a "max message per day", since members tend to open conversations between them

The filtering idea is appealing.. i will try this and see how this goes

In your registration process, is user logged on directly after filling form or do you send a confirmation email ?

As said, you could also limit number of msg send to new member.

Or last solution, ban per country as most of them help-me-save-my-money-into-your-bank-account scam comes from Nigeria

no, a fonfirmation email is being sent after registration
scammer's email is a valid one (a gmail account)

>>and i can't aply a "max message per day", since members tend to open conversations between them

But you can apply "max members per day". Allow new members to send message to 10 members per day.

also you can filter messages using some "Word Black List".

no email apperas on screen or in source code.

Is it custom coded? How safe is your site from email/mysql injection?

If the answers are yes and I don't know or not, I'd suggest review how the data is being cleansed, and additionally get a logging routine in there immediately so you can see what is being input into these forms.

Dinkar : filtering is what i intend to do

rocknbil: the emails are from a db. The messages between members are 1 single field in a form (text area).
The data are being cleansed for any html/java code

For now i will go for the filtering method and see how it goes. Take note that this is the first scam email we received in 5 years period we operate that site.

The messages between members are 1 single field in a form (text area).

How is the recipient "selected", via a hidden field?

What if I don't use your form at all, but use a command line combined with curl to post to it?

Once scenario,

contact-member.php?to=one@site.com,two@site.com,three@site.com&message=You+have+been+spammed

Unless you filter the "to" to accept only a single address, it will send to all three addresses.

It gets worse. If they can figure out your table structure and inject SQL statements, they can just select the entire database to mail to.

The data are being cleansed for any html/java code

As you can see, it's not HTML or javascript code that is the power of injection.

The member visits his friend's profile page. There there is a button "send message" where launches a pop-up form with the 1 single text field
The recipient is being selected with the help of the htaccess mod_rewritte (all urls are friendly)
The sender is being selected by a combination of session/cookie (if you are not logged in you are not able to see this button).
Both of those emails are picked from db
The title of the email is defualt hardcoded (something like 'Friend John send you a message')

I dont see how the above setup can be highjacked

And after 4 days of digging in the logs, i came to the conclusion that the spammer sent only 320 emails (out of a possible 12k email address registered)
So i think he send them manually

Any objections on this? I may be missing something