Spam is being launched from my contact form

I was very surprised to get spam generated from my own server this morning. I back-tracked it to this web request:
213.251.182.12 – – [17/Aug/2014:23:58:30 -0700] “POST /?page_id=175 HTTP/1.0” 200 216

That page is my contact page, looks like this:
[contact-form-7 id=”174″ title=”Contact form 1″]

Looks like contact-form-7 is not protected against someone sending a malicious POST request. They managed to make my server send out perfectly valid SPAM, that says it is coming form my SPF authorized server, and the only trace they left was their IP (which is from France) in my http access file. They spoofed everything. From the email, there is no way to tell who sent it, and they can send to any address in the world.

I’m running the latest version (3.9.1), and am very concerned that anyone in the world can now use my server to generate spam. It’s only a matter of time before my server gets on a blacklist due to this huge hole.

Is there any steps that I can take to close this hole?

Thanks-

https://wordpress.org/plugins/contact-form-7/