Many scripts have a "must run from" type of action so that if your site is www.bob.com then the form must be submitted from bob.com. The spammer probably wrote a script that ran on his/her website and called your form.
Check out www.redundantcartride.com/dbman (the unofficial dbman faq) and see if there is any such mod that limits form submission to your site only.
Check out www.redundantcartride.com/dbman (the unofficial dbman faq) and see if there is any such mod that limits form submission to your site only.