You've got multiple security vulnerabilities in your code.
First, you aren't sanitizing inputs for the form itself. At least do a htmlspecialchars() for each $_GET variable. Otherwise, you've opened up that site to a XSS attack.
Second, your form allows any 'from' and 'to', effectively creating a web form relay that uses your email server. Spammers love relay forms.
Third, the subject line isn't sanitized. I would wager that is your injection point. Took me a while to find it. The fact you are receiving blank emails and this issue exists, tells me someone is probably using your form for sending spam. Oops.
I'm not sure what the point of clean_string() is. The things you are removing are mostly header-related. The user doesn't have an opportunity to inject into the headers within the body. Also, the message is plain-text, so removing 'href' does nothing. Basically, the function doesn't do anything.
As far as your blank e-mail issue goes, I was originally looking for a way to modify the headers via the from address to bury the original message in an alternate MIME type that would never be shown because that's what I would do. The regular expression on the email address stops that from happening. Took me a while to find the subject line issue, but I'd wager that not sanitizing the subject line is the problem.
I never call the PHP mail() function directly because there are too many problems with doing that. I use a library such as PHP Mailer or Barebones Ultimate E-mail Toolkit or similar to send email. Good libraries do way more than just send email, they sanitize inputs for you prior to delivery to the email server and provide useful tools to get the job done because getting email right is much harder than most people think since the PHP mail() function was never intended to be called directly and email address validation is also hard to get right (your regex has numerous issues - the only thing going for it is that it does stop header injection).
On a couple of stylistic notes, you are using tables and it looks like you are embedding 'form' tags in invalid locations (outside 'td' tags is invalid HTML). Also, it is better to fall through to the original form on an error and let the user correct the problem. Pressing 'Back' may result in a blank form, forcing the user to type in everything again, so most users won't bother. In your case, that translates to lost sales leads.