How secure can a PHP-driven HTML contact form using Swiftmailer be?

Question

I have a PHP driven HTML contact form on my site. Currently I use the PHP mail() function. Because of that I have to do many user input validation to avoid email header injection attacks. I think I'm secure, but I probably forgot something and I want to move to a solid PHP email library. The library I selected is Swiftmailer.

Now I want to check if Swiftmailer address the following:

1. Removes or escape < and > characters in sender names.
2. Removes newlines (\n, \r\n...) from sender names.
3. Removes or escape newlines from email subject.
4. Normalize newlines in message body (the content of the email). As per the PHP docs, \n should be used in content and \r\n as email headers separator.

PS: I tried to contact the Swiftmailer team with my questions without success so I'm trying here.

Edit:

I did some test cases with Swiftmailer and this is what I found so far:

1. When you have a < or > in the name of a sender, you get a Undeliverable email error mail. This can somewhat lead in a DOS attack of your mail server (maybe I'm wrong). Is this normal?!
2. The newlines are escaped so the injection attack fails.
3. The newlines are escaped so the injection attack fails.
4. Tested but I'm unable to see what Swiftmailer do (if it does something). So I'm still in the dark here.

Can someone clarify #1 and #4 for me? I'm not sure if it's normal behavior...

Answer 1

EDIT: This answer may be obsolete. At the time I wrote this, there were some problems with the SwiftMailer library. At this point, everything is working fine with the SwiftMailer and is considered to be the better library with a lot more to offer than PHPMailer.

I would suggest you use phpmailer. It is one of the most stable mailing libraries I've ever used. Here's an example code that should be working:

include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "[email protected]";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("[email protected]", '<< >> ! " Receiver Name');
$mail->SetFrom('[email protected]', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();

You'll need to configure this so that it connects to your email server but it should be working. Phpmailer escapes so far everything I've tried. The only I'm checking is "[email protected]". I do it with this code:

$email = "[email protected]";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);

if($email){
    echo "This email is valid!";
} else {
    echo "This email is INVALID!";
}

I hope this helps :)