There are two problems here.
You get your "To" header from
, which is the e-mail address typed by your visitor in the form and processed by your PHP code without any validation.
First, how do you know that was a valid and existing address? If this address is wrong, no wonder you have that error.
There is more important and dangerous thing. You approach (I mean lack of proper validation and filtering) is way too dangerous.
Attention! A big security flaw is explained here!
I will explain schematically what some people do to find an exploit for their malicious activity.
Imagine you have in your input:
BCC: [a million of addresses to spam]
This is the way to inject a BCC header line. Trivial, isn't it? You would not even see how your host is turned into a zombie
sending spam, or something like that.
You can tell that you provide only one input line using a text box (
element with the type
), so entering the new line characters is not possible.
OK, great, your form knows about it, but HTML "post" method does not know about your form. :-)
Are you getting it?
Of course, this is not possible with the manual operation with the form. But programmatically, I would fake your form in few minutes and implement the hack I explained before. If you use AJAX, I would fake your AJAX as well.
I actually did something like that
my own Web site and some of our company Web sites for security holes. It was easy. Each and every action performed on the client side
can be more or less easily faked
So, you should do simple thing: inspect all the headers for any deviation from the expected pattern. You should also check up the referral of the post and do some other relevant checks. Internally, report the attempts of any suspected malicious activity.
Investigate such cases. I did that and caught such attempts from time to time. This is the ugly fact of our life.