I tested you page and can only send it if I fill in the captcha properly, so the validation is working.
captcha is used to prevent automated scripts for ending your form, it cannot prevent a real person from filling in the form though.
since the captcha is woking as it should, it would mean a real person is responsible, it's a bit more difficult to prevent a malicious person from filling in your form.
I see you are also displaying the comments on the page, so you must be storing them in a database. in your comments table, add an ip address column, bind this to the REMOTE_ADDR variable in the Server bindings collection to store the ip address of the user making the comments.
when you start getting spam messages, you can look up the email address in the comments table, and match it to an IP.
you can use an htaccess rule to prevent that IP address from accessing your site in the future. see the following for more details:
block-bots-hotlinking-ban-ip-htaccess