Marketo implements a native mechanism that is very standard across the industry. You will find nearly identical implementations in Salesforce, SugarCRM, Oracle, SAP, Amazon, Google and many more.
Spambots are and will remain an annoyance in the foreseeable future. It is just like vandals in the real world.
Combating spambots is a cat and mouse game: we create mechanisms to deflect or deter them, they explore new ways, come back again until another door is closed and that goes on. They tend to target database driven websites because they know that is where it is going to cause most inconveniences.
Modern web applications implement browser side validation to relief servers from intense processing. That is what Marketo, Google, Amazon and Facebook do (add your favorites to that list). Most spambots take advantage of client-side validation, executed by JavaScript. The trick is simple: disable JavaScript to run browser attacks.
An extremely simple yet very effective solution is adding noscript tag.
It evaluates whether the browser has javaScript enabled. It executes instructions between noscript opening and end tags. You can enter a message such as "Please enable JavaScript to fill out the form"and then redirect to any deflection page which could be the homepage or even a more drastic approach, a completely invalid one forcing a HTTP 404.
Open the landing page being attacked, click "Landing Page Actions" on the top right corner and select "Edit Page Meta Tags"
Enter the following extract on Custom head HTML - replace www.example.com with your homepage or any URL, including an invalid to force HTTP 404:
<noscript>Please enable JavaScript!
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://www.example.com/?r=us">
</noscript>
.png)