You’re talking about email injection security vulnerability. For example, if you’re passing custom headers to the mail() function like in the following code sample, you’re vulnerable:

<?php
$additional_headers = "Reply-To: {$_GET['user_email']}";
mail($to, $subject, $message, $additional_headers);
?>

Consider that a malicious user passes not only his email, but also additional headers like this:

<?php
//$_GET['user_email'] = "me@example.net";// this is what you expect
// this is what you're getting actually
$_GET['user_email'] = "me@example.net\r\nBcc: someone@example.net, ...";
?>

Then a malicious user would send a carbon copy of his supposedly SPAM-ridden message to a virtually unlimited list of users from your server under your name. One can even replace your message completely with his own this way by adding certain otherwise-safe MIME headers. You can only imagine to what consequences this can lead!

Solution is simple: don’t trust anything you receive from a user, and filter/validate the received data.