I regularly shut down web sites that use the PHP mail() function. While the users of the sites mean well, they generally don’t do any checking before sending data to mail(). I’m not going to weigh in mail(). Enough has been said about it. Just remember to take your code and code security seriously.
Remember, never trust data submitted by site visitors. Sanitize the heck out of it.
Jelly and Custard has an excellent explanation of PHP Header Injection when using the PHP mail() function.
http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/
http://www.jellyandcustard.com is an excellent PHP blog.