""The previous technique of putting the hash into a hidden form element was a good solution as well. I don't quite understand why you would remove it. ""
Yes, I thought this also was a good solution but yet an email showed up (spam matching old formatted form results) and in a subsequent test the email legitimately did not send the first time using the page. But it did work the second so I tried to simplify by just checking for an present Session and not it's value.
The issue is that someone is able to send through our form but not use our form as the content does not match the current template. Sure I can move to adding more hooks like Captcha or reCaptcha but wanted to logically thwarte the illicit event by somewhat understanding how they are achieving this.