This looks like a failed header injection attack.
Some background: Lots of web form handlers, including the most basic
Perl and PHP tools, will build the headers and body of a message as one
long string, then pass it to Sendmail. If a form allows user-supplied
data for any header content -- most often a subject, a sender's name or
email address -- and the form does not properly sanitize the input, an
attacker can add a newline to the data and build up their own headers
and message body.
---------------snip--------------
Absolutely what I was trying to say earlier.
A _great_ article on the matter is here:
http://www.securephpwiki.com/index.php/Email_Injection
-=Ray
