The form bots are exploiting a weakness in the WebAssist email code. An easy fix is to simply not use the WebAssist create email feature.
We had the exact same problem, no stopping the bot, client was going nuts with emails, then we removed the webassist email replaced it with another email processing code and the bots were stopped.
I believe the bots are seeking out WA code and hammering it whenever they find it.
They easily circumvent the client side form error checking as well which is why your CAPTCHA, nor honey pot techniques will work.