Quoting/Escaping variables in mail body

Question

I am feeling a bit awkward, because I am generating a mail-body with PHP without escaping the variables. In HTML I am using htmlspecialchars() or similar functions, for command lines escapeshellarg(), but for mails? For example something like this:

<?php
$usercontent = $_GET['usercontent'];
mail("[email protected]", "My Subject", "My body with $usercontent included");
?>

What could a possible attacker do with a script like the one above and how could I protect against such an attack? Or is PHP mail() save and why?

Update

Please refer to the example:

• Only the body is affected (No Headers!)
• Content-Type is text/plain
• Some proof to the answer would be nice
• MTA is a postfix sendmail with "/usr/sbin/sendmail -t -i"

Answer 1

The basic e-mail message body is plain text. If you want a different type like HTML or a multipart message, you need to use the MIME extension and specify the type accordingly using Content-Type (e.g. text/html for HTML or multipart/… for a multipart message).

So from the security perspective, there is no way to inject anything harmful (at least not as per specification). Even non-ASCII characters should be handled correctly despite the lacking declaration of the used character encoding.

However, there still may be some flaws in e-mail clients which can be exploited this way. But I doubt that.