I'm thinking that they are opening the page and then via the Developers Tools for a browser are changing the text fields and then resubmitting. If they exclude my honeypot field (cracker) the form will pass validation.
Otherwise what server side validation are you talking of Jason?
Here's my basic honeypot conditional statement that wraps the insert and email functions:
// Cracker honeypot check
if (!isset($_POST['cracker'])) {
// WA DataAssist Insert
if ($_SERVER["REQUEST_METHOD"] == "POST") // Trigger
{
$WA_connection = $....;
$WA_table = ".......";
$WA_sessionName = "sessLead";
$WA_redirectURL = "";
if (function_exists("rel2abs")) $WA_redirectURL = $WA_redirectURL?rel2abs($WA_redirectURL,dirname(__FILE__)):"";
$WA_keepQueryString = false;
....
...