Maybe sharing a recent experience I sufferred will share some light on your issue. I took over hosting a site another had produced, and “took the easy way out” by initially moving the site, as it stood, onto Dreamhost with only a brief look at the code. The site processed it’s form(s) using a common formmailer script “DynaForm v 1.4”. The code looked “safe” enough, and it worked, so I did not bother to “redo” the form to use the DH provided “formail.cgi”, which I have used sucessfully for years without incident.
First indication that there was a problem was a *bunch" of "bounce messages addressed to my DH user in the form of firstname.lastname@example.org. Seems that someone, on one of my forms (I host lots of domains on DH) was attempting to exploit one of my forms, but was not being successfull. Close inspection of the bounce messages and the text of the messages that bounced indicated that the attacker could not properly form a message via his exploit, but could dispacth it via the form. Every word in the message he attempted to send via his script was read as a “to” address, and of course, they all “bounced”. Careful inspection of the bounced messages gave me a clue as to where to start looking for the offending script (which domain).
Worried about DH reaction, and all that, I dug into the access logs for that domain and saw the “strange” entries…identified by truncated log information and ip addresses that reverse-lookup could not find, (though some appeared to be comcast machines - zombied?). I was relieved to note that only 20-30 attempts were made in a 24 hour period, and came about once an hour, in groups of one or two accesses, (though they “produced” approximately 10 times that many of “failed” messages). Problem lasted about two days, then the “attack” subsided, presumably because the attacks did not succeed in generating mail that made it to the intended servers.
There had not been a repeat in the last several days. I think I need to dump DynaForm (though the code looks safe to me - I am not a PHP wizard), and go what what seems to work. Is DynaForm broken? I guess it “kinda” is, though it did not actually get any spam to any real addresses.