If you suspect this is being done by an Email Bot...
A potential solution is to use a field (something you don't use or care about the contents) and then add a honeypot field. Here is an article that explains how it works. How do I block junk form submissions from my site?
Then you evaluate the form submissions to see if there is anything in the honeypot field. If so, you delete the lead record, since it was populated by an Email Bot.
The trick is to figure out how to get the honeypot field into the form tag and hide the display. I played with a visibility rule to see if Marketo would hide it for me. It does, but it uses a placeholder and not a hidden field that would trick the bot.
Honeypots don't work. Anybody mildly curious can see your logic (it's right there on the page and on the wire) and pound your form after that.
reCAPTCHA works, but only to prevent bots. An individual human attacker cannot be stopped by reCAPTCHA.
The only way to combat "link smuggling" by human attacker as described here is to escape all untrusted link-like data. See https://blog.teknkl.com/tokens-as-hacker-weapons-1/