I kept getting junk sent via one of my formmail (widgets.htm) pages. I
assumed it was robots and so rewrote the page as PHP (widgets.php) that
included a captcha check.

I still kept getting the formmail messages from the widgets.htm page.

So I did a 401 redirect from the .htm to the .php

I still kept getting the formmail messages from the widgets.htm page.

I deleted the .htm page and still keep getting them.

Here is the (munged) header from the email

Return-Path: <dhapache@example.com>[i]my host[/i]
X-Original-To: [i]my email address[/i]
Delivered-To: [i]my email mailbox[/i]
Received: from [i]some host[/i] (example.example.com [i]one of my host's
servers[/i][#*$!.#*$!.xxx.xxx][i]my host's ip address[/i])
  by mail.example.com (Postfix) with ESMTP id BBA4F11FE72
  for <[i]my email address[/i]>; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: by [i]some host[/i] (Postfix, from userid 999)
  id A5D329800E; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: from [xxx.xxx.xx.xx] [i]spammers IP[/i]
  by formmail.example.com (NMS FormMail 3.14c1)
  with HTTP; Sun, 12 Mar 2006 09:27:01 GMT
  (script-name /cgi-bin/formmail.cgi)
  (http-host formmail.example.com)
  (http-referer http://www.example.com/widgets.htm[i]my deleted formmail page[/i])
X-Mailer: NMS FormMail 3.14c1
To: [i]my email address[/i]
From: [i]spammer's supposed email address[/i] (Mike)
Subject: Reciprocal Link
Message-Id: <20060312092701.A5D329800E@peon0034>
Date: Sun, 12 Mar 2006 01:27:01 -0800 (PST)

My host suggests that someone has hijacked my php script, but this was occuring before I brought in the php captcha script.

Can anyone tell me what is happening?

Thanks
Kenton