I found this in a server:
$header = "From: <".$_REQUEST['email'].">\n"; #... mail($from,$subjet,$message,$header);
$_REQUEST[’email’] came from a form input …
Here $_REQUEST[’email’] should be, at least, stripped by all \n no matter on how you trust to js code..
$from = $_REQUEST['email'];
$from = str_replace("\n","",$from);
$header = "From: <$from>\n";