It is hard to say. Sometimes it happens because the validation isn't secure, or sometimes the spam is getting sent from another page entirely that you didn't realize existed somewhere for testing. I'd have to debug to figure it out. If you attach a copy of the page, then I could start by looking to see if I can spot an issue.
If I don't spot the issue on the page, then I'd probably add an identifier to the email body and a hidden form element to the page to be sure the spam emails are actually coming from the page you are assuming they come from.
Once I've confirmed that the spam is actually coming from that page and form, then I'd re-examine the file to make sure there aren't any ways to bypass the validation code and maybe add another form of CAPTCHA to see if that helps.