I've created a tell a friend/referral form that basically accepts 5 email addresses for the user to refer to his/her friends. Now I've also added a couple of other bits of functionality that I want to make sure won't be a problem:
the email's 'From' field is what the user enters as their email (so when the friend receives the message, it is seen as sent from the user).
Also, the subject and message can be changed by the user to make them personalised to the people they are sending to.
Will this all be OK? I've seen other sites that open an email window (with your default email program) and therefore have the message as sent by you, and allow you to change the message.
Also, sms.ac for example automatically sends off emails using your address in the from field.
The problem is that you have just created a perfect spamming tool. A spammer can easily write a script to loop through a million email addresses using your form handler to send it's custom made spam messages to those million addresses. They can use whatever from address, subject and message body they like and not face any retribution because they are not the originator of the email. You on the other hand may find yourself very quickly blacklisted and even facing other action, or if you host then your host will get kicked and they will drop you like a hot potato.
That is exactly why many sites restrict what you can change on such forms and why others open up an email client. If the spammer has to send the email with their own client then they gain nothing over writing a script to blast emails out directly, they are not piggybacking on your email servr.