They are "tasting." Seeing what they can do with it. Their "bots" are testing the form fields, seeing which once are required, seeing if they receive an email from it, seeing if they can inject directly into mail headers . . . . which may also mean, what you are seeing is not the whole story. Because they keep at it, I tend to believe this might be the case.
One question: do you receive an email notification when these are submitted?
If you do, you **definately** are not seeing the whole story. What if I can somehow submit the following into an email address field?
email@example.com\n bcc:firstname.lastname@example.org,email@example.com . . . (thousands here)
The \n is a newline. So if this works, I've just created my OWN BCC field in your mail headers, and sent thousands of emails using your server. And being a BCC, you'll never know it.
Another example is to inject a multipart header and multipart email in the "message body". Same thing, you only see the "main" part, which may have nothing at all in it. The real meat is in the multipart, and it's already been done and sent by the time you get that, they don't care what you receive. The confusion, I imagine, is just a "bonus."
Also know that they don't need to be "on your form" to do it. If I know the URI of the form, I can post to it from command line, from anywhere, which is what bots do.
If you have coded this up, or had someone do it for you, I suggest you start doing one thing, immediately. Add a bit to your script that logs the raw data input from these forms. Open a file somewhere, every time something is submitted, dump the raw input into it, put a time stamp and IP address on it. Review it often. You'll be surprised . . . but this is where you start. Next is figuring out why, and most likely it's related to poor input filtering of data, which is what has made you a target. This is extremely different from the data you will get from your server logs.
CAPTCHA is totally hackable, I've seen it happen. I've no clue how they do it, I just know they do. In-form tricks - a hidden field that is supposed to stay empty, changing form field names, the trivia question challenge, other front end fixes - these will give temporary or maybe even permanent relief, but they won't deter the truly determined.
For that there is really only one solution, and it's STILL not "hack - proof". Filter your data well enough to make it as much a pain for them to abuse your site as they are a pain to you. If you can make them go off to greener pastures, it's all good.