For securing your forms there is the CAPTCHA, security questions and some empty hidden form elements.
The idea with the hidden form elements is that you leave them blank and validate for them to be blank, if they have a value they should fail validation. The idea is that a bot filling in the form will fill in these hidden form fields as well, so if you confirm that the fields have no value in them it is more likely that a real human filled in the form.
If you put the Universal Email server behavior on the page yourself you should check it to make sure you have it set to same page post as the trigger, this can help with things also.