The way I've got around spam bots (at the moment anyway) is to send all our enquiries through our ticketing system and run the ticketing system over SSL.

Without seeing the PHP running the form it's impossible to tell if they are using OCR to read the characters, or some exploit in the code.

You could change the PHP so that it asks a random maths question or other simple question such as the name of the company or are there pictures of boxes on this page?

__________________
US & UK Web Hosting with hourly backups | Hosting Affiliate Scheme | Web Directory 2 for 1 Offer