One example of this is sql injections. Characters like ' and -- suddenly have a big impact on the query.
The metacharacter in email header injections is the line feed, 'n', 0x0a, or 10 in decimal. Urlencoded it is %0a. This is because the newline separates headers in emails. Here is an example of an email;
To: [email protected] Subject: Hello From: [email protected] Hi, Your site is great. Bye
When an attacker can change data which goes into headers, he can simply add a newline and put in whatever headers he may prefer.
An example of injecting a header in the "From" field;
The resulting email will look like this:
To: [email protected] Subject: Hello From: [email protected] Cc: [email protected] Hi, Your site is great. Bye
Which fill fire off a blind carbon copy to [email protected]
This technique is used by spammers to spread their spam. The spammers construct very specific header injections, which will change the subject and the body.
A simple blacklist approach where you strip away all newlines may seem viable. But for maximum security, one should also account for unknown attacks. The best solution would be a regular expression which checks for valid email adresses.