Thank you all for your replies.
Although Teodor has been through everything on the website and found not injection code I think this spammer is directly using the API.
Because we use Office365 Exchange I have to have a dummy domain in plesk that I use to relay the emails through otherwise it tries to deliver the mail to the localhost. As soon as I delete this dummy domain the spam stops, however if I create a new dummy domain with different credentials, as soon as I send one request from my website the spam immediately starts! I have other sites using the same dummy domain smtp and they are not getting any spam so I’m guessing there is something out there thats watching the API of the domain concerned and as soon as a form is send it somehow starts spamming directing as you suggest the API.
I’d like to directly use O365 and I have read through the post of @vfn Email Not sending - hellllpppp
but for me the emails won’t go through. I’m a little confused as to how to get the more detailed error message out, all I get in the browser inspect is server error 500.
Lastly, the php function I used to use before DMX and Wappler had an anti spam function in the send script which checked to see if the function was being used locally of from another IP address, perhaps this is something that needs to be added to Wappler Send Mail?