Without knowing the specifics of your site and/or your scripts and/or what the spammers are doing, it's hard to say specifically. (And I don't know that the TOS for this forum would allow you to provide this information, so the preceding is only a comment, not a criticism.) But my guess would be that the spammer has found a security hole in your script, and it accessing the script directly, entirely bypassing your security methods.

You might want to check with the script provider for an updated version of the script, and/or check elsewhere for information on security holes and/or patches.

Eliz.

Find yourself a blackhat seo forum and you'll learn all about how that works.

If the script is free, which it most likely is, it can be downloaded and examined for holes to sneak in.

A clue: you are (probably) assuming that everyone accesses your site via a browser. When you sumbit a form from the web, it passes data to the script. Many of these submits are required to set up an account and collect data such as a session ID or the Capcha (image verification.)

Suppose I could skip all steps of registration and verification by opening a command window and doing something like this

curl 'http://www.example.com/bbscript.cgi?action=new_post&userid=someknownuser&loginok&body=spam+content+here'

Admittedly this is a very simplified (and nonfunctional, of course) explanation but this is most likely how it's done: once someone figures out a query string that will get past the security functions, they can write a script that will send this command repeatedly and never even have to visit the page.

Also google for SQL Injection. Another method for horribly vulnerable programs in PHP or other scripting languages.

the simple captchas can be processed and read by bots, that's why the new ones are so complex and hard to read, with distorted text. That was done very soon after the initial captchas were created.

If you add a ref="nofollow" to any url processed in the script, it helps, although the bots don't know if you use that or not, but at least you aren't linking out to bad neighborhoods.

You just have to keep on top of it, it's not a problem if you make sure to delete all spam instantly, spammers kind of keep loose lists from what I can tell, when they see their stuff get deleted right away, they tend to just go somewhere else, since there are so many unprotected blogs, guestbooks, and forums on the web, it's a matter of quantity of backlinks gathered, not of spamming your guestbook specifically.