A spammer will not run Javascript but talk directly to your mail sending script. The most important checks are the checks run on the server. You should really consider using the premade formmail script instead of rolling your own. Client-side validation will break as soon as somebody has Javascript disabled (like me) or does not even use a browser to send data (like a spammer).