PHP - mail() - Double Newline in Headers, Possible Injection, Mail Dropped

php mail() Broken? Googl’ing and finding a mess of answers about rewriting code, RFC compliance and general hulabaloo but no answer as to why you are getting this error? Well your installation of php probably has just been Hardened

ALERT - mail() - double newline in headers, possible injection, mail dropped (attacker 'IPADDRESS', file 'FILENAME', line 668)

You will need to find the option suhosin.mail.protect in your php.ini and set it to 0.

; This directive controls if the mail() header protection is activated or not
; and to what degree it is activated. The appended table lists the possible
; activation levels.
; suhosin.mail.protect = 1
suhosin.mail.protect = 0

The reason for this setting is to prevent injection attacks, so as a prerequisite, be sure to filter your incoming data! More info on suhosin.mail.protect is available. In your reading if you come across the CRLF vs. LF conversations, this is a good summation. Basically it comes down to your OS and MTA.

Incidentally, I came across this issue implementing mini_sendmail-chroot on OpenBSD and had to dig a bit for the solution…

HTH