Form Security Anti Spam Techniques:
* a salted hash (hash1) that is unique to each session, and is unique everyday is generated and added to the form
* a differently salted hash (hash2) of the above is added to the session on the server
* when submitted we generate hash 2 from hash1
* if it is not the same then session or date is different, no submit
* on sending the form the session var is deleted, so resubmitting the same form is not possible'
* emails can only have a max of 3 urls
* emails cannot contain certain spamwords
* a anti-spamid is added to each email that is only known to angus college so email filters can be adjusted for this if necessary
* when the page is opened and submitted, the time is recorded and compared. If the page is submitted within X seconds, the form will not be emailed to combat auto form filling software where humans are quickly manually filling in forms.
That's what I built on the website I maintained at work (not in php). And you can get the spamwords list from the wordpress codex.