I wonder if most guestbook spammers don't separate their activity into two widely-separated-in-time steps: harvest <form> entities for their field/action data, and the actual transmitting of the spam via HTTP request.

If they do, then one simple solution would be use a nonce to distinguish the bot from the human.

Example:

• dynamically generate the page containing the contact form.
  
• In the contact form, add a hidden field named, say, "Nonce" with a value of the current time/date.
  
• On the server side, in the code that handles the transmitted form (via GET or POST, presumably), compare the nonce value to the current time/date. If it's more than, say, 24 hours old, return a web page that says "Hey, you sure took a long time to press that Submit button -- please try again!"
  

Of course, if the spambot loads and re-parses the HTML from the URL containing the contact form just before transmitting the spam each time, then this simple scheme won't work.

Spambots are often coded in a highly fragile way; I would be interested to know how many of them load and re-parse before each transmission.

Thanks, have it now implemented

if ( form older than 10 hours )
and ( no valid email address ) { forget the spam }

For luck, 99,9% of my forms are dynamic generated, only very few are on the web site itself.