I have done some research on this:
There are a few types of spam you will receive:
Human spammers – they actually visit your form and fill it out including the CAPTCHA.
Spambot probes – sometimes contain content that does not make any sense (jibberish). Spam bots will try to target any forms that they discover. They first attempt an email header injection attack to use your web form to send spam emails. After failing that, they simply submit the form with a URL or embedded HTML, hoping someone will be phished or click the link.
Blackhat SEO spammers – looking for blog comment forms, contact forms, Wikis, etc. By using randomly generated unique “words”, they can then do a Google search to find websites where their content has been posted un-moderated. Then they can go back to these websites, identify if the links have been posted without the rel=”nofollow” attribute (which would prevent them contributing to Google’s algorithm), and if not they can post whatever spam links they like on those websites, in an effort to boost Google rankings for certain sites. Or worse, use it to post whatever content they want onto those websites, even embedded malware.
Human captcha solvers – The thing is that it’s easy and cheap for someone to hire a person to enter this spam. Usually it can be done for about $5 for 1,000 or so form submissions. The spammer gives their ’employee’ a list of sites and what to paste in and they go at it. not all of your spam (and other trash) will be computer generated – using CAPTCHA proxy or farm the bad guys can have real people spamming you. A CAPTCHA farm has many cheap laborers (India, far east, etc) solving them. CAPTCHA proxy is when they use a bot to fetch and serve your image to users of other sites, e.g. porn, games, etc. After the CAPTCHA is solved, they use a bot to post your form.
How to stop it?
Change the URL of your form: – This should immediately eliminate all spam sent directly to your form by spammers who have the URL of your webmail script in their databases. This could only be temporary if they come back to find it again, or maybe they wont. This is not possible on WP comments.
Filter Spam With Akismet – The Akismet plugin comes pre-installed with WordPress now. First you will need to make sure that Akismet is activated using your WordPress.com API key. Once activated, Akismet helps to block spam comments.
First check this: make sure the only other security plugins you have are Akismet or WP-spamFree. Akismet and WP-spamFree are the only other anti-spam plugins approved for use with SI CAPTCHA Anti-Spam, others can simply break the CAPTCHA validation so that the CAPTCHA is never checked. If another security plugin is combined(not Akismet or WP-spamFree), the captcha may not work. Be sure to always test the CAPTCHA after installing new plugins.
Built in form defenses – such as hidden honeypot fields. if the spam bot fills it in, it IS SPAM, let them to the thanks page but do not send the email. There are some related options including session tokens fields, time delay, and randomization of methods. I might experiment with this in a future version, but nothing can stop human spammers.
