I'm not into PHP coding myself, so I'm probably missing something at the moment.
But one thing that I see is this:
$addresses = array();
$addresses = 'firstname.lastname@example.org';
$addresses = 'email@example.com';
$to = $addresses[$email_num];
The script does not verify that $email_num is a number, or that it is either a 1 or a 2.
$mailheaders = "From: $name <$email>";
$mailheaders .= "Reply-To: $email";
The script does not insert a linebreak between the From and Reply-To headers. The hole might very well be here - the script does not check the $name or $email values at all, allowing one to exploit the script by inserting their own headers such as Cc or Bcc.
When coding scripts that accept any type of input at all from untrusted sources such as an web site visitor, it is best to figure out exactly what type of input one expects and code the script to only accept that type of input. One should never assume that the input recieved is always valid and/or not an attempt to exploit a flaw.
Secondly, you probably would have been aware of the problem before it got out of hand if the script was logging its actions somehow. Obviously it should appear in the web server log files, but there is nothing stopping one from writing a script that maintains a log file of its own, including the logging the headers for security auditing.
Perl / MySQL / HTML+CSS