Thanks Mark, I didn't see your previous message until now.

I discovered that nothing is being injected into the headers. But.... What the scammers are likely doing is substituting the value of the "to" variable I use. Since this is just used internally to reference a hard-coded list, their attempt doesn't go anywhere.

And another but... I noticed that I forgot to handle the default case - if the "to" contained any content that did not match my reference list. Oops! That was causing the abusers' emails to go out with no destination which would generate a bounce back to me.

This is now taken care of by blanking the variable if it doesn't match my list, which in turn causes it to be trapped by the error handling I already had in place. That causes the form to stay where it is and show a visible warning pointing out the form is incomplete.

Now it should only bee possible for abusers to spam my own addresses with this form. And I'm curbing that by restricting links within the message body and can also block by IP if I notice any trends.

Phew.