Simple Way to Block Salesforce Web-to-Lead Spam
Create an auto-validation rule that searches your form for 'href'. Include all of the fields in the form in the search. Set a default error message to the spam submitter. This has completely fixed my web-to-lead spam. It seems to be a much easier implementation than running captcha, checking against hidden fields, validating through another server, etc.