An entry in kju's blog shows a method to use a PHP contact form to send spam, if you just accept any entries without checking. Esp. vulnerable to this is the From field. There it's pretty easy to add aditional CCs and all this can easily be used by bots.
I didn't experience any problem yet and as all contact form mail is sent to me (and I don't think you can stop this easily, as the To field is hardcoded), I should definetly see such mails. But nevertheless I changed the PHP code for sending the contact form.
Now I just have to look for this tomorrow at work as well (and I have to check if some of the spam I get at work comes using the contact form of the company's homepage).
