I have been informed by my IPS that my site has been used to send spam. I have noticed a couple of strange e-mails in the last day. They have initiated mod_security on the site, but advised me to notify you, to change the "sendmail" code. They feel it is somewhere in the "Contact Me" code.
My hosting company sent out a notice some time back about contact forms. In fact, they took a proactive stance of searching servers for files named "contact.php" and would delete them (or at least that's what they said they would do)! So I just changed my contact form to another file name and changed the links. Therefore this is NOT an issue unique to PHPFusion.
Bad_boy is right about this being posted earlier. In fact, I think I posted my hosting companies email when I received it so Fusion users would be aware that there were hackers out there looking for that file name so they could exploit it.
There was a howto some time ago about why you should never put "Contact.php" on the server in that exact name. You should always rename it to a random name because people scan for that exact name. I would recommend not putting contact.php on your server if you've already had problems. If people want to email you they'll contact you if its important.
Chris, are you running latest version, 6.00.305? There was a problem with spam in a older version. If you are not running the latest version, try upgrade.
Something i have noted is that this all started after I put my site up on the PHPFusion site as an example. I suspect there are a number of lurkers that snatch up the new site URLs and go to work to hack them!
I suggest that this be removed from the PHPFusion site until this can get hammered out. No point in spoon feeding the idiots.