Isn't the code that sends the email and saves the email log data on the page? They would have to be visiting the page to run the code that is on the page.
Referrer can be blocked. It is a header flag that is sent by the browser and it can be removed to prevent tracking. A missing referrer doesn't really mean anything about the source other than they don't want to be traced.
I'm thinking the htaccess rule must be wrong. It should be able to block emails that come from a web page. I don't think any entries would appear in your log if they weren't from your page.