POssible Security Flaw

I have a default template site set up – that has no public A record. The only way to get to it for me is to modify my hosts file which then sends the request to Apache and gets the site.

We are getting a ton of spam through the contact forms:

I have added Akismet, Honeypot, Google Capture etc – and none of them record any forms being sent or capture any Spam. Ditto Contact Form CFDB7 – no forms sent.

Here is where it gets weird: I changed the subject line of the sent contact form emails to have specific words in them ( [Wordpress] [Sitename] [formname] so I could track which form the spam comes from. After this change I am still getting forms submitted without the changed subject line.
The headers say the emails were sent from my server, by SMTP utilising PHPMaile and the user number for the account using phpmailer is the user name for the account this website is run under – every site is put under its own user for security.

I am wondering if there is a way the spammers cached the form submission nad even with honeypot, a captcha field, google captcha etc they are able to submit a cached form and have it accepted.

I am going to adda new required field onto both forms – but am writing to raise the possibility there may be a security flaw allowing cached forms to be submitted.

Feel free to reach me directly on my email as it may be inappropriate to discuss this on an open forum.

Regards
shane