Even worse, an attacker could put the entire messages and his own headers in the useremail parameter. Newlines are allowed in form parameters. The attacker could forge his own email headers and push the real message to the bottom.