Yes. The way the spammers are hijacking your script is by sending their own To: field (the person being spammed) and their own Body: field (the spam itself).

If you hard code the To: field, the spammer won't be able to send email to anyone other than the person hard coded already. That defeats the purpose for them, and they won't use it.