I've read up quite a bit on spam prevention, and this is one apparent solution that keeps being suggested:
Use a token and put it into a session and also add it to the form. If the token is not submitted with the form or doesn't match then it is automated and can be ignored.
Source: https://webmasters.stackexchange.com/questions/3588/how-do-spambots-work
Which basically is saying to protect yourself from CSRF.
So my question is, do spambots rely entirely on a method that incorporates CSRF? Do they smply send repeat POST requests without actually requesting the page to figure out what the hidden token embedded in the form is? This seems almost suspiciously too easy to stop and I'm skeptical. Anyone have any concrete information on this?
Imagine crawler that visits random URL and if it sees form, fills it and submits. In this case, token will be automatically accepted, as long as generated on page load.
So, as an additional defense - place tough CAPTCHA.