incrediBILL - 4:20 pm on May 3, 2012 (gmt 0)
Anything could be done by a bot, but that assumes your site alone is worth their time to mess with. There's a few tricks to the anti-spam stuff I do, it's deceptively simple but has kept the crud off my sites for years now.
I have one high value target and I sat one night watching someone from a Romanian IP address feverishly hack at my anti-spam stuff for a couple of hours and he found one loophole which I quickly closed and never had an issue with them ever since ;)
BTW, anti-spam when done right isn't a single solution but a series of checks.
For instance, is the spammer using GET or POST to submit? Many still try to use GET and simply requiring a POST will jam them up for a while.
Does the spammer accept your cookies? Assuming an actual visitor came to your site and received the page in their browser they would also receive a cookie. If someone tries to POST the form without the cookie it gets rejected.
Does the spammer send a referrer? Assuming an actual visitor came to your site and submits the form from your site, it should have the referring page along with the POST and the COOKIE.
Additionally, check the user agent doing the submit. If it doesn't start with Mozilla, Opera or some cell phone user agents kick 'em out.
See how you can easily build up a few simple rules and requirements that harden the form?
Obviously a real hard core determined spammer could emulate a lot of this but then it slows his efforts down, decreases the amount of spam he can send, and takes more time to figure out what your site requires.
Just to make life harder, I randomize some of the stuff above such as field names, page names, etc.
Best part is it'll easily bounce the lame spammers.