One of mine was getting spammed similarly; I had developed the form and response page with Dreamweaver and was passing the input of the form straight through without any form of checking - yes, I should have known better, especially with my background.
Someone was putting a long multipart message into the field designed to take only the enquirer's name. The quick fix I thought of was to crop the length of the input to say 30 characters, no-one's name will be longer than that.
If I had been handling this in Perl I would have stripped the input of everything except alphanumeric characters etc, I tried that with PHP's regular expressions but found them not quite as easy to use as Perl's.
Server-side verification is what's needed or CAPTCHA - that's what I'm working on now.
