> So if I clean anything going in the header, and do stripslashes() to the >message body, what on earth can put those extra headers in? Hi Kasimir We had similar problems here which only ceased after protecting both the front end form and the sendmail.php page. We stripped out 'Content-Type' as well as putting in a capcha on the worse hit ones. If they can turn the form into HTML they have an opportunity to use HEX characters, which you aren't stripping out there. This link was very helpful: http://securephp.damonkohler.com/index.php/Email_Injection Best Regards, Nick Managing Director e3internet http://www.e3internet.com