One of the changes I made to the script, af.cgi, mentioned above in the alien form post stopped spammers using textareas to send spam using html code.
I changed line 234
From:
if ($prefs =~ /w/i and $value =~ /\W/) { push @only_words, $key }
To:
if ($prefs =~ /w/i and $value =~ /[^A-Za-z0-9.,;
"'\s\&\#\$\@\-]/) { push @only_words, $key }
Then made sure my textareas were named starting with the w_ prefix.