Dear sysadmins and developers,
phpmail() IS OUT! Get rid off it. Now!
One of the most common sources of spam are “hacked” webservers and poorly or even non-secured forms. By using phpmail the webserver must be allowed to send mails without checks for a valid sender. This results – mostly on a shared web host – in having checking every clients installations for the bad script while the mailserver gets blacklisted due to the spam wave.
There are enough possibilities out there on how to send mail without using phpmail such as PEAR Net_SMTP. I even encourage every webmaster to turn off phpmail by blacklisting this function in php.ini. This way the developers would be forced to name an smtp account for sending mail which is much easier to track (and shut off if neccessary).