You may have another page or pages on the site that can be accessed without captcha? I see that a lot of times. I'd have to audit the site to be sure what page they are actually using to send the spam. Maybe add a hidden form element to the form you think it comes from and include it in the body of the email to be sure.