diff -Naur a/ext/standard/mail.c b/ext/standard/mail.c
--- a/ext/standard/mail.c	2018-07-31 16:33:11.000000000 +0200
+++ b/ext/standard/mail.c	2018-08-03 19:04:05.502933562 +0200
@@ -58,6 +58,13 @@
 		}																								\
 		continue;																						\
 	}																									\
+	else if (str[pos] == '\n' && (str[pos + 1] == ' ' || str[pos + 1] == '\t')) {						\
+		pos += 1;																						\
+		while (str[pos + 1] == ' ' || str[pos + 1] == '\t') {											\
+			pos++;																						\
+		}																								\
+		continue;																						\
+	}																									\
 
 #define MAIL_ASCIIZ_CHECK(str, len)				\
 	p = str;									\
@@ -279,6 +286,46 @@
 }
 
 
+static long
+count_recipients(const char *str, int len, int skip_field)
+{
+	long recipients = 0;
+	int got_field, i;
+
+	if (str == NULL || len <= 0)
+		return 0;
+
+	got_field = skip_field;
+	for (i = 0; str[i]; i++) {
+		/* search for mime-fields
+		 * either at beginning or after '\n' of the string
+		 */
+		if (!got_field &&
+				(!strncasecmp(&str[i], "To: ",  strlen("To: ")) ||
+				 !strncasecmp(&str[i], "Cc: ",  strlen("Cc: ")) ||
+				 !strncasecmp(&str[i], "Bcc: ", strlen("Bcc: "))
+				)) {
+			if (i == 0 || (i > 0 && str[i - 1] == '\n'))
+				got_field = 1;
+		}
+
+		/* search for every '@', don't stop at long headers */
+		if (got_field) {
+			if (str[i] == '@')
+				recipients++;
+			else if (str[i] == '\n')
+				if (i == len - 1 || (str[i + 1] != ' ' && str[i + 1] != '\t'))
+					got_field = 0;
+		}
+
+		/* message body starts here */
+		if (i > 0 && str[i - 1] == '\n' && str[i] == '\n')
+			break;
+	}
+
+	return recipients;
+}
+
 /* {{{ proto int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
    Send an email message */
 PHP_FUNCTION(mail)
@@ -290,8 +337,10 @@
 	size_t to_len, message_len;
 	size_t subject_len, i;
 	char *force_extra_parameters = INI_STR("mail.force_extra_parameters");
-	char *to_r, *subject_r;
+	char *to_r=NULL, *subject_r=NULL;
 	char *p, *e;
+	long recipients = 0;
+	long max_recipients = INI_INT("sendmail_max_recipients");
 
 	ZEND_PARSE_PARAMETERS_START(3, 5)
 		Z_PARAM_STRING(to, to_len)
@@ -326,6 +375,19 @@
 		MAIL_ASCIIZ_CHECK(ZSTR_VAL(extra_cmd), ZSTR_LEN(extra_cmd));
 	}
 
+	/* count recipients */
+	if (max_recipients > 0) {
+		recipients += count_recipients(to, to_len, 1);
+		if (str_headers) {
+			recipients += count_recipients(ZSTR_VAL(str_headers), ZSTR_LEN(str_headers), 0);
+		}
+		if (recipients > max_recipients) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Max recipients reached, mail not sent.");
+			RETVAL_FALSE;
+			goto end;
+		}
+	}
+
 	if (to_len > 0) {
 		to_r = estrndup(to, to_len);
 		for (; to_len; to_len--) {
@@ -341,7 +403,9 @@
 				 * To prevent these separators from being replaced with a space, we use the
 				 * SKIP_LONG_HEADER_SEP to skip over them. */
 				SKIP_LONG_HEADER_SEP(to_r, i);
-				to_r[i] = ' ';
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Disallowed characters in mail parameters, mail not sent.");
+				RETVAL_FALSE;
+				goto end;
 			}
 		}
 	} else {
@@ -359,7 +423,9 @@
 		for (i = 0; subject_r[i]; i++) {
 			if (iscntrl((unsigned char) subject_r[i])) {
 				SKIP_LONG_HEADER_SEP(subject_r, i);
-				subject_r[i] = ' ';
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Disallowed characters in mail parameters, mail not sent.");
+				RETVAL_FALSE;
+				goto end;
 			}
 		}
 	} else {
@@ -378,6 +444,7 @@
 		RETVAL_FALSE;
 	}
 
+end:
 	if (str_headers) {
 		zend_string_release_ex(str_headers, 0);
 	}
@@ -486,10 +553,23 @@
 	}	\
 	return val;	\
 
+	zval *zhttphost;
+	char *httphost = NULL;
+	if ((mail_log && *mail_log) || PG(mail_x_header)) {
+		if ((Z_TYPE(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY || zend_is_auto_global_str(ZEND_STRL("_SERVER"))) &&
+				(zhttphost = zend_hash_str_find(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), ZEND_STRL("HTTP_HOST"))) != NULL &&
+				Z_TYPE_P(zhttphost) == IS_STRING &&
+				Z_STRLEN_P(zhttphost) > 0) {
+			httphost = Z_STRVAL_P(zhttphost);
+		} else {
+		    httphost = "";
+		}
+	}
+
 	if (mail_log && *mail_log) {
 		char *logline;
 
-		spprintf(&logline, 0, "mail() on [%s:%d]: To: %s -- Headers: %s -- Subject: %s", zend_get_executed_filename(), zend_get_executed_lineno(), to, hdr ? hdr : "", subject);
+		spprintf(&logline, 0, "mail() on [%s:%d]: To: %s -- HTTP-Host: %s -- Headers: %s -- Subject: %s", zend_get_executed_filename(), zend_get_executed_lineno(), to, httphost, hdr ? hdr : "", subject);
 
 		if (hdr) {
 			php_mail_log_crlf_to_spaces(logline);
@@ -520,16 +600,12 @@
 
 	if (PG(mail_x_header)) {
 		const char *tmp = zend_get_executed_filename();
-		zend_string *f;
-
-		f = php_basename(tmp, strlen(tmp), NULL, 0);
 
 		if (headers != NULL && *headers) {
-			spprintf(&hdr, 0, "X-PHP-Originating-Script: " ZEND_LONG_FMT ":%s\n%s", php_getuid(), ZSTR_VAL(f), headers);
+			spprintf(&hdr, 0, "X-PHP-Originating-Script: " ZEND_LONG_FMT ":%s\nX-PHP-HTTP-Host: %s\n%s", php_getuid(), tmp, httphost, headers);
 		} else {
-			spprintf(&hdr, 0, "X-PHP-Originating-Script: " ZEND_LONG_FMT ":%s", php_getuid(), ZSTR_VAL(f));
+			spprintf(&hdr, 0, "X-PHP-Originating-Script: " ZEND_LONG_FMT ":%s\nX-PHP-HTTP-Host: %s", php_getuid(), tmp, httphost);
 		}
-		zend_string_release_ex(f, 0);
 	}
 
 	if (hdr && php_mail_detect_multiple_crlf(hdr)) {
diff -Naur a/main/main.c b/main/main.c
--- a/main/main.c	2018-07-31 16:33:06.000000000 +0200
+++ b/main/main.c	2018-08-03 19:01:14.835736094 +0200
@@ -776,6 +776,7 @@
 	PHP_INI_ENTRY("precision",					"14",		PHP_INI_ALL,		OnSetPrecision)
 	PHP_INI_ENTRY("sendmail_from",				NULL,		PHP_INI_ALL,		NULL)
 	PHP_INI_ENTRY("sendmail_path",	DEFAULT_SENDMAIL_PATH,	PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("sendmail_max_recipients",	"5",	PHP_INI_ALL,		NULL)
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)