Assuming the spam is via a bot, how exactly does it find my form on site?

It spiders your site via HTTP and parses the HTML returned, looking for suspicious-looking form tags.</>

And the data I'm getting is much longer than the field size limits on web page, so they either are using their own variant of my page (which I'd need to try and block) or what?

All a form tag implies is that connecting via HTTP to the URI in the action attribute produces some action, and that it may or may not do anything with the form parameters submitted. If you can construct an HTTP request by yourself, you don't need the form.

That's how forum spammers and web services work.

You could use length or some other pattern matching to catch spam. I would suggest a really big captcha though, if your users are vision impaired then increase the size. One of the best combos is to have a captcha, but allow registered users to by pass it by logging in. Then your normal users aren't bothered and you keep the spammers out. I've used this very successfully in the past, pair it up with an IP based time limit and you'll keep 99% of unwanted spam out and not bother your users too much. PS my captcha was actual words instead of random text to make it easier on users. Like with any security measure the goal is to balance the strength of your security, your users needs, and the benefits of the security you are added. If you only get the normal bots that don't try to hard then measures like this are very effective. If you think you are dealing with an individual determined to spam your site then you might need a very different set of security measures.