A redcent thread I started discussed the fact my mostly self-made contact form at http://twistedmelon.com/contact/contact.php was being used by to inject headers and send out mail.

I have since implemented a number of checks and balances to deny header insertion through carriage returns and new lines on all fields where we accept user input. This should make it so no "To:" field can be input and the mail is only ever sent to addresses internal to the script.

We also check the message body for MIME and Content-Type headers. Yesterday I tightened up the message content area by also failing any message that includes so much as a single "http" or "href" within its text.

Today I received a couple of messages that look to be from a spammer, but they were properly filled out and sent to me - this isn't a problem. But just now I've received two bounces back which indicate the messages were also sent to someone else - or such an attempt was made that went farther than my script all the way to the mail system.

I've tested the forms of injection I've read about but can't for the life of me break the measures I've got in place.

Anyone care to help me figure out where the problem lies?

On the bounces the "To:" field comes back blank with no Bcc or cc fields included.