I'm going to add those two in the checks as well (content and mime). Thanks again everyone. I've added a substring match to block an href as well. We'll see how this goes.

Remember there were two issues. One was the exploit which was fixed by extra filtering on the fields for newlines and returns. And the other is just spammers sending ME spam through my own form. Which is what the substring matches were for.

The TO addresses are all hardcoded and as John mentioned, it's an injection attack using other fields. In the case of my form, only the Proper Name field was vulnerable on my script. I already handled the username & domain portion of the FROM (it had to be exactly ONE completely valid email address format at a resolvable domain).

With the added stuff it now also rejects content that would otherwise not cause a problem but that spammers might have tried anyway.