Let me see if I have this correct:

1) You have a form with multiple parts.
2) Each part is to be routed to a different email address, via SendMail

Is this correct?

Is the sendmail encoding loaded in the form itself? If not, please give me a general idea of what the hijackers are doing to get access to your SendMail server. Once I have an idea of what's going on, perhaps I or someone else can suggest an alternative scripting solution.

The reason that they can hijack your sendmail is precisly because you include the to address in the form data. Hijacking works by appending a BCC list to data on the form that you then include in your email headers - like your variable to address.

The simplest fix is just to not use any data from the form post in your email headers.

To get around that problem in your particular case, just have a var that you use in a switch structure to determine which send to address to use.

eg

switch ($_POST['who']) {
case 1:
  $to = 'joe.blow@home.com';
  break;
case 2:
  $to = 'fred.bloggs@away.co.uk';
  break;
case 3;
  $to = 'sandy.shaw@the.beach.com';
  break;
default:
  $to = 'admin@the-end-of-his-tether.com';
}

mail($to,$headers,$body);

Other than that, you are going to have to cleanse the user data with regulkar expressions to trap any line feeds, any Bcc lists, and generally jump through hoops to stop them. Better to just NEVER use any form data in your headers.