We put contact forms on websites quite a lot, and we check that the input data is valid and sanitized of all evilness, however after a few weeks the invariable contact form spam starts to filter in to the client’s inbox.
To the client the obvious answer is a CAPTCHA.
However I advise clients that putting a CAPTCHA or other similar element onto a contact form is shifting the problem of the spam to their legitimate users. Why should your user have to mess about trying to read two difficult to read words, just to contact your business? The user shouldn’t need to care about your spam problem.
That said, spam is annoying and if you are getting a lot of it, it may prevent you noticing legitimate contacts. So what should you do about it?
If you are getting an awful lot of spam, one method is to deploy Akismet, which has a simple API that can be hooked up to your contact form and which returns a true or false result, depending on whether it believes the message to be spam or not. As Akismet is used by WordPress they have a huge amount of data on what is and is not spam – there are also plugins available for several content management systems and frameworks.