Martin - you may want to double check the validation on the captcha field of your clients form. I am having a similar issue where it requires a value and will alert if it is empty but allows a non matching string of characters. This will allow a script to send spam through the form.
I am looking in to how to change this since it allows it out of the box. I know I came across a way to check the code to prevent a form submission if the codes do not match. If I find it I will let you know.