I am at a loss for words.

Personal SPAM is one thing. Business SPAM, coming from your online forms, is another. It is best to understand the problem before attempting to implement a solution. Generally, I classify form SPAM into 1 of 2 categories:

1. Form hijacking attempts
2. Automated scripts

Strategies to tackle both types rely on tightening form validation and security. Hijacking attempts are much more of serious problem, because the attack is trying to use your form and mail server to send out SPAM to hundreds or thousands of other people. Identifying hijacking attempts can sometimes be tricky, but if you see a lot of bounced back SPAM originating FROM your servers, you should definately start investigating.

Here are some things you can to do to curb your form SPAM issues:

1. Enforce tight server side validation - Javascript validation is lazy and useless. Most of these attempts come from automated scripts that won’t ever hit your javascript.
   1. Make sure form values don’t include email header data
   2. Validate form data based on type and strip out HTML code
   3. Limit the number of characters to something reasonable
   4. Check for certain words, phrases, or code that might lead you to believe its SPAM
   5. Never pass critical mailing data as hidden fields (such as the mail to address)
2. Use CAPATCHA - makes the submitter enter in some words, letters or numbers in an image before submitting the form. This ensures that the form is being submitted by an actual person and not an automated script.
3. Validate user sessions - for each visitor, create a unique session. Store a random and unique value on the server. Include that value as a hidden fields on the form, and validate it against the value stored on the server. If it is an automated script completing the form, that value will most likely be wrong.
4. Log IP addresses - chances are that someone at an IP is not going to submit your form multiple times over a short period of time. Keep track of this and use some validation to restrict and detect.

Tightening your validation is the most critical step in stopping form SPAM. If you have a vulnerability in your form, adding CAPATCHA won’t stop someone from exploiting it. Post your form if you want us to run some checks.