I don't see any server validation code on the CAPTCHA. It would be easy to create a page that posts to this one that would send an email. You really need to validate the CAPTCHA server side for it to do much good.
I'd make sure to validate your CAPTCHA on the server. That would probably stop the problem. If not, the next step might be to log all of the $_SERVER[] variables from the spammer to see if it might contain more details you can use to catch and block them.