Is it possible you have another test page on the web server without the captcha? Maybe it is actually another page the spammers found.
If you only got 3, they could be actually filling out the form and entering the captcha value. How can you be sure it isn't a human? Captcha only prevents bots.
You could start recording the IP address of submissions and if it comes from a consistent IP or range then block it that way.