Validate for a http referrer. At the top of your form handling page you can add something like this:

<?php

$origin="https://example.com/contact.php";
$referral=$_SERVER["HTTP_REFERER"];
$refervalid=0;
if($referral==$origin) $refervalid=1;
if(!$refervalid){
echo "<script type=\"text/JavaScript\"><!--\n ";
echo "top.location.href = \"$origin\"; \n// --></script>";
exit;
}

?>

What the above does is that if the source of your form being filled out didn't come from your own site, or if the UA is an empty string like many badbots, it will send the request back to your contact page to be submitted.

SevenCubed, thank you for the code. You know what, the form is dynamically referred from the product's page, I can fix a static $origin. May be it is possible but I'm still learning.
Thanks.

Oops, wait a minute, that code above works but it also has an "Notice: Undefined index" error, give me a few minutes and I'll rework it and repost.

Thanks

Actually it should be ok, I'm getting messed up here with my own environment variables. I just tried it on a live server with javascript disabled and didn't get any error then with javascript enabled and it performed as expected.

Hope it is something you can work with or rework as you said. Maybe someone else might jump in with something easier too because there are always so many ways to accomplish the same need.

Ohhh it's been a long day. In the above I only considered for if someone is trying to load your validating page directly. I forgot to account for a submission from your form so this should be it:

<?php

$referral=$_SERVER['HTTP_REFERER'];
$origin="https://example.com/contact.php";
$refervalid=0;
if($referral==$origin) $refervalid=1;
if((!$refervalid) OR ($_POST["validated"]!=variable-passed-from-form)){
echo "<script type=\"text/JavaScript\"><!--\n ";
echo "top.location.href = \"$origin\"; \n// --></script>";
exit;
}

?>

But please do try it in non-production environment first because I didn't test this last one but have to get out of here for the night :)

That will help, but the real problem stems from them being able to get something through they shouldn't. Cleanse and filter your input.

Some searches here that will help [google.com]

Thank you SevenCubed. I tried and it works!

Rocknbil, what you say is true, do you have something could recommend me... at least, at link where I can learn about the options I may have?
Thanks

Any one can give me a suggestion for when referrer are dynamic pages?

I read somewhere that HTTP_REFERER is not 100% reliable. I guess my solution isn't either, but it works very well for our purposes. Here's what I do...

1. Leave the action attribute of the form blank in the html <form> tag. Then when the form is submitted, use javascript to populate the action attribute. jQuery makes this easy.

<form id="nospam" action=""></form>

This goes a long way to thwart crawlers looking for form processing scripts. It won't stop a curious spammer willing to look at your source code. The jQuery to handle this might look something like this...

// This jQuery
$(document).ready(function () {
$('form#nospam').submit(function () {
$(this).attr('action','/path/to/form/processing/script');
return true;
});
});

The drawback here is that if a user doesn't have javascript enabled, they can't submit the form. Also, this usually only helps when implemented ~before~ a form is live. If spam bots already have the URL of your form processor, you'll need more protection. Read on...

2. Use PHP to generate a hash on the page where the form is, include it as a hidden form element, then check it when the script is submitted. For example, if my form is on form.php and the processor is check.php I would do this...

// Before the form is output on form.php
session_start();
$hash = md5(date(str_shuffle('aAbBCcDdEeFf...')));
$_SESSION['form_hash'][md5('/path/to/check.php')] = $hash;

Replace '/path/to/check.php' with what will be reflected by $_SERVER['REQUEST_URI'] when the form is submitted to the processing script. Now, insert this hash into the form as a hidden field.

<input type="hidden" name="hash" value="<?php echo $hash; ?>" />

When the form is submitted, check the hash against what you generated...

session_start();
$hash = $_SESSION['form_hash'][md5($_SERVER['REQUEST_URI'])];
// You MUST unset the hash so that they only get one try
unset($_SESSION['form_hash'][md5($_SERVER['REQUEST_URI'])]);
if($hash === $_POST['hash']) {
//Process the submission...
}
else {
//Send them somewhere else 
}

This approach stops spam robots from remotely posting to your form processor because they didn't hit the form first to get the hash stored in a session variable. Whoever wants to submit your form must actually visit the page first. This approach does not stop someone who loads the form and manually submits spam.

I have had several clients come in having issues with automated spam posts. I usually implement both. I change the URL of the form processor then use a blank action attribute, then implement the URL-based hash to make sure that the user actually hits the form before submitting it.

Thank you adephue, I went with option two and it works as expected. Hope to fix the issue.
Thank you for your help.