Aj, aj, aj- I am blushing!
But really appreciate the lesson, still.
I put access to the $to variable in the form in order to find out if it would mail to myself, testing the sendmail mechanism.
But, in my testing frenzy the potential abuse did not occur to me. As soon as a upload finishes I'll take it out, and change the variable name. Will that be a bit safer then?
I'll try the header hypothesis, and check the parsing. I am using a modified version of the old "readparse." (Brenner's?)
Again, thanks. I feel some hope now (mixed with shame, fear, and trembling)

Dagfinn

Volda, Norway, where trolls dance on the telephonewires