We are experiencing website attacks that trigger the submission of a form, and send alert emails.

Normal process of form submission is to fill up a couple of text fields, and when the user is redirected, the next page processes $_POST. If $_POST exists, then the email to intended form recipients is triggered.

What is happening right now, we are receiving the email of the form submission, three emails at a time with same information. The information per email is the same, but not all of the spam emails contain the same information, each batch of triggered emails has unique information.

The form has no captcha, and if possible we would like to keep it this way. The website has worked fine and had no spamming problems until today.

We have monitoring software for the website, but whoever is submitting this form over and over is not being recorded by the tracking software WHY IS THIS? IS THE PERSON ACTUALLY VISITING THE WEBSITE? The only suspicious visit tracked was on November 10th, and this record ALSO shows three forms submitted (this is how I identified possible first visit by attacker). Then no incidents until today.

WHAT IS THE GOAL of the spam attack? Is the attacker expecting us to respond to the bogus emails? What can they achieve with repeated submission of form

Why are three emails triggered in the row? Is this indicative that they may be using a script?

This is a PHP website. Is there a way for a client to view the PHP code of a page?

Thank you