I'm working on a signup script that doesn't use captcha as a security measure. I've added off-screen honey pots and have used md5 with salt to obscure the id and names of the required fields and am making assumptions based on the time it takes to complete the form. You know the kind of thing.

I was looking for opinions on the best approach for what to do with submissions that look like they've come from spammers. Just a simple "You're registration could not be completed" or should I also be recording IPs and user-agent and building a blacklist. Also, I'm aware that Google Chrome does autofill. If I give some leeway to Chrome users for filling in some of the honeypots, would I be leaving the door open to spammers?

Many thanks in advance for any advice or opinions.