The spam philosophy relies on two things: 1. It cost nothing, so we'll never stop. 2. If we get 1 sale/lead and p*** off a million others, we don't care about the million - only the one. I always visualize spammers as #*$!ly faced teens brimming with angst, to which p***ing people off is a bonus . . . . but that's just me. :-)
From what I can see, the most common goal of these spammers is LINKS. They get paid on delivery. It starts like this:
Message: ssdf sdfsdf
They're just feeling you up, figuring out required fields, etc. When it really gets going, these messages will (almost) always contain links. There should be no valid reason for users to enter a link into a form (and if this is your case, you have to take another approach.) So filter the links, you will filter a good portion of the spam.
There is another attack that doesn't involve links at all, but is catered to a really sloppy form processor that doesn't adequately filter data. A normal mail header does something like you see above. But what if I could do this?
$from = "email@example.com\nBCC:firstname.lastname@example.org,email@example.com,firstname.lastname@example.org . . . "
Note the newline. Also instead of three emails to AOL, imagine 1000.
"But wait. My form doesn't have a BCC field." Well, they just created one. Using the example above, you get this:
BCC:email@example.com,firstname.lastname@example.org,email@example.com . . .
Message: ssdf sdfsdf
So you get one email. AOL gets 1000, they keep using you until you get blacklisted. The same approach applies to sending a multipart message in the input, and many other hacks. A BIG one to watch out for, since you mentioned database: if your email form enters data into a databaase and they discover that it does, they can submit data that abuses your database fields:
SQL injection discussion [webmasterworld.com]
I know you're probably looking for a one-off easy solution. That solution is only this: remove the form and form processor. Otherwise you have to learn a little bit about what they are doing and how they are doing it. The two links above present many approaches by many members here; consider and implement as many as you can without presenting additional challenges to legitimate users..