There are two scripts: contact.php and mailsender.php where the form sends the post data.
In contact.php I have some restrictions (prototype) like Name only accepts alpha data.
In my example you can see that Last Names are numeric.
I guess those bots get the name of the action form from contact.php and "work" on mailsender.php directly.
I also have a simple captcha (put the correct sum number...)
What about passing and checking a SESSION var?