I just completed a whole setup that you are asking Richey about.
It was simple to do, and as as far as I know, HashCash is doing it's job.
For my client it helps the visually impaired Submit forms without the need to play click the 'thing' games.
Myself, I have several sites that use Form add-ons but prefer to use Joomla's own Contact - because I think Joomla will improve it believe I'm not shackled to a subscription for updates (sometimes AKA bug fixes).
Implemented using the Joomla contact form.
Worth a mention ... one small problem with the Joomla contact form is that it does allow an additional field for a BCC etc. addressee which can be handy if you are monitoring a
site's forms. Cheers..... Rod
In response to your request for details re a possible bug Have just disabled the Hash Cash plugin for possible replacement. The host for the third party web site took it down earlier today due to an unacceptable amount of spam
courtest of the site's contact form which in turn implies that HC was not doing its job.
Wow. I feel for you. I have questions. Does your contact form provide the visitor the option or default of receiving a confirmation response after they hit Submit? If Yes, I've been told that a contact form that does this, sends back to the recipient in the response, a map of how to ab-use the form now to send spam. So a manual use of the Form is needed and then they just wait for a copy or confirmation.
I can't read your screen cap - too small, but what I could see from the tech's language is "appear to have been" and "likely" when filing blame. About as close as our nearest galaxy.
If your answer would still be yes on the email confirmation, I would stop sending anything back to visitor's via the form. Instead, we send them to a confirmation page. That way they can't use the contents as their map to spamming.
I chose HC because my clients ban all kinds of tracking, stalking and SMIRCing. Yes - even Google'ware and the likes are banned.
HashCash only operates on forms where it's been enabled. By default, in Joomla, it's the registration form. Once a user has registered, they won't (generally) see the HC plugin again. I have that problem with this forum. HC isn't implemented in the forum, so when a user manually registers, they can turn their bot loose with valid credentials and off they go. It requires manual intervention on behalf of the spammer. If you want HC to protect your forum, you could add it to the forum post form. That's beyond the scope of my support though.
TLDR, HC doesn't protect forms that it doesn't exist on, if a user is already registered - HC doesn't help you unless the extension developer included the ability to enable captcha on their forms.