you have the validation set to the trigger:
Button: SimpleContact pressed
and the Universal Email behavior set to use the trigger:
Any Form Post.
make sure that both behaviors use the same trigger.
probably what is happening is a hacker is visiting your page, and viewing the source code.
they can then copy the source and host the form on a page in their own site and set the action to post to your page. By renaming the submit button, they would bypass the validation.
since UE does not use the same trigger, it is able to bypass validation, but then send the email.
if both behaviors used the same trigger, renaming the submit button to bypass validation would also by pass sending the email.