The XMLUI Feedback/Contact form does not include the same level of protection from spamming as the JSPUI. Within the JSPUI, there's a check (in FeedbackServlet) to ensure that the HTTP referer corresponds to the DSpace server's hostname. This is a basic attempt to block most spam messages from using the feedback form.
However, the XMLUI has no checks of this sort. So, spammers have the ability to use the form to send spam email to the administrators.