// clean vars from email injection
function _local_replace_bad($value) {
   # mail adress(ess) for reports...
   $report_to = "ben@ninefortynine.com";

   # array holding strings to check, we do not trust these strings in $_POST
   $suspicious_str = array
   (
       "content-type:"
       ,"charset="
       ,"mime-version:"
       ,"multipart/mixed"
       ,"bcc:"
   );

   $suspect_found = false;

   // remove added slashes from $value...
   $value = stripslashes($value);

   # checks if $value contains $suspect...
   foreach($suspicious_str as $suspect) {
       if(eregi($suspect, strtolower($value))) {
           # if we found some suspicios string, then we add our string, so it
           # will be messed a little bit. :)
           $suspect_found = true; 
           $value = eregi_replace($suspect, "(anti-spam-".$suspect.")", $value);
       }
   }

   if ($suspect_found) {
       # if at least one suspicios string was found, then do something more

       $ip = (empty($_SERVER['REMOTE_ADDR'])) ? 'empty' : $_SERVER['REMOTE_ADDR'];
       $rf = (empty($_SERVER['HTTP_REFERER'])) ? 'empty' : $_SERVER['HTTP_REFERER'];
       $ua = (empty($_SERVER['HTTP_USER_AGENT'])) ? 'empty' : $_SERVER['HTTP_USER_AGENT'];
       $ru = (empty($_SERVER['REQUEST_URI'])) ? 'empty' : $_SERVER['REQUEST_URI'];
       $rm = (empty($_SERVER['REQUEST_METHOD'])) ? 'empty' : $_SERVER['REQUEST_METHOD'];

       # very often HTTP_USER_AGENT is empty. We consider this is 100% spam
       if ($suspect_found && $ua == "empty") {
           exit();
       }

       # if we are here, then HTTP_USER_AGENT is not empty. this is only 80-90% that it is spam
       # Remember, that POST values were already changed. But we still want to inform our
       # admin about this suspicios request.
       if(isset($report_to) && !empty($report_to)) {
           @mail(
               $report_to,
               "[ABUSE] [SUSPECT] @ " . $_SERVER['HTTP_HOST'] . " by " . $ip,
               "Stopped possible mail-injection @ " .
               $_SERVER['HTTP_HOST'] . " by " . $ip .
               " (" . date('d/m/Y H:i:s') . ")\r\n\r\n" .
               "*** IP/HOST\r\n" . $ip . "\r\n\r\n" .
               "*** USER AGENT\r\n" . $ua . "\r\n\r\n" .
               "*** REFERER\r\n" . $rf . "\r\n\r\n" .
               "*** REQUEST URI\r\n" . $ru . "\r\n\r\n" .
               "*** REQUEST METHOD\r\n" . $rm . "\r\n\r\n" .
               "*** SUSPECT\r\n-----\r\n" . $value . "\r\n-----"
           );
       } # if report
   } # if suscpect found

   return($value);
}