I'll take a stab: I'm guessing that your captchka program was free or purchased, and there is a configuration setting that allows <Default> to override the verification input code? Check that out first.

I have not delved into captchkas because most of the sites I work with have many MANY forms and it presents too many extra steps for the end user, to many places to lose valuable leads. I mention this because you should use the same methods this forces me into: screen your input data.

Invariably you will find a pattern in this spam input that you can block, that is, a lot of them now are pharm links: [ url=whatever] and <url=whatever>. So unless you have a really good reason for allowing your users to enter html and forum style links, you can kill this data on input:

if ($yourdata =~ /$spamlink/) { &exit_without_satisfaction; }

That's perl, re-code in the language of your choice. Admittedly this is a short term solution, the real answer lies in logging all data input from your forms, looking for patterns, and at worst start banning IP's.

Appreicate ur reply. I think i will go for a php form instead of using Javascript i have a feeling this is the reason why bots are able to pass the image script.

Thanks