E-mail injection is caused when form fields entered by hackers who add unexpected lines of text to the from and/or subject lines of your form.
For instance, many web sites add a contact us page to their web site to allow a web visitor an opportunity to send comments and suggestions. Usually these forms ask the user for a subject and an E-mail address. The risk of injection occurs when these fields are placed into the headers of the E-mail sent from the script to the E-mail address assigned to the contact submission.
The injection works when the hacker adds extra lines to the field before sending it to your script. IF your script does not check the E-mail address entered then the injection will find its way to the PHP mail() function. Then the rest is history.
The PHP mail() function takes multi lines in the to field and may treat them as additional lines for the headers of the E-mail message.
Click here http://securephp.damonkohler.com/index.php/Email_Injectionfor some better detailed examples of E-mail injections.
You can prevent E-mail injections in a number of ways. The easiest is to only place data that is submitted by the user in the message body of the E-mail. If you want your script to automatically generate a response message to the user, then you will need to verify the E-mail address entered is valid and does not contain additional lines of information.
Click here http://www.bl0g.co.uk/?d=060214 for an alternative method for protecting your script from E-mail injections.