I see this question has gone into "neglected status."
The correct answer is still the CAPTCHA image, but you might be able to get away with a form token. It should prove more reliable than the IP address, but less reliable than CAPTCHA. Here is my teaching example of how to use a form token.
Best of luck with it, ~Ray