Email form getting randomly submitted by some weird Cloudflare caching?

Question

I have a bizarre situation that my team and I haven't been able to put our finger on. I have a DNN-based website. I have a custom module that acts as a simple contact form. This contact form module is used multiple places on the site. The contact form works as expected. The contact form module doesn't directly use an SMTP relay, but instead inserts a record into a database, and there's a separate job that handles the send/SMTP relay. All of this works very well.

The website is behind Cloudflare, paid account, nothing overly fancy setup in CF. The contact form module has Google's ReCaptcha v3 on it.

A couple months ago, a (confirmed) human submitted one of these contact form modules asking a question -- nothing unremarkable about this, at least until....

Every ~6-14 days after this original submission, the website's contact form module is RE-submitted with the same exact form values -- same name, same email, exact same body message.

At first, we thought the human was messing with us, but we contacted him and he is not. Plus the message is very benign, basically asking a shipping question.

Next, we thought it was something in the website, the DNN caching, or similar that was causing it. We added the request's IP address and UserAgent to the form's code, and confirmed that was working as expected. We then waited for additional new re-submit/duplications to come so we could see/log these weird requests a bit better.

The human that originally submitted the form is located in MI, USA. The weird resubmits are coming from IPv6 addresses, which we haven't been able to resolve hostnames from, but they seem to point to the Detroit, MI vicinity -- strangely some WHOIS google searches say that the IP addresses belong to Cloudflare (Singapore), some say they belong to "Apple iCloud Private Relay". Maybe it's iCloud, but iCloud behind CF? IDK

Important - I know that when your site is behind Cloudflare, you can't use the UserHostAddress from the Request because it will have a CF IP address. We're using the CF-Connecting-IP and X-Forwarded-For headers to get the client's IP.

The captured UserAgent data seems to be indicating Safari as the browser. Oddly though, the first time said version 18.1, and then the second time said version 17.4 -- pretty weird that version number would go down.

I realize we could simply block form submissions from this email address/user, but I'm endlessly curious why this is happening.

Questions:

• ever seen something like this happen before?
• any idea where these bizarre, seemingly random form re-submits are coming from?
• any ideas of what else I could capture/check in the form's submission to figure out why this is happening?