It's pretty simple.
Your script is converted data from one format to another. The input looks like this:
name=John Doeemail@example.com&subject=hello there
The output is supposed to look like this:
From: "John Doe" <firstname.lastname@example.org>^CR^LF
Subject: hello there^CR^LF
Now guess what happens if someone starts putting quotes, angle brackets, and ^CR and ^LF in their name and email address and subject? Yup, the output is screwed up. And if they do it just right, this screwed up output results in your script sending out messages that you never intended it to send, such as spam.
E-mail messages have a certain format to follow and you need to read its specification carefully as well as read up on known exploits.
Here is a detailed summary of the problems with the old formmail script from Matt's archive:
Perl / MySQL / HTML+CSS