NationalNet support patched my PHP scripts
if (ereg('^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$', $email-from))
mail($email-to, $email-subject, $email-message, $email-headers...
and they sent me an email explaining what they did to stop the spammer within 15 minutes or so.
GrayWolf posts a similar case and recommends this helpful page with PHP code to stop header injection, there is more useful stuff in the manual's comment section, and a great thread at WMW. I found that a combination of the NatNet patch and the tips provided there, plus a few custom add-ons like database lookups, should secure my email forms in the future. Next step is sending automated complaints to the spammers ISP.
Post it to