I have a classifieds website…

Each classified is displayed in a php page called show_ad.php

I am working on a “tip a friend” function, where users enter their own name, the friends email and a short message to the friend.

The above is no problem, however, I need to make sure bots don’t use this form for “spam” etc…

One way is captcha, but I was thinking about creating my own captcha, so here is my plan, and I need you to tell me if it has any flaws:

1- On load of the show_ad.php file, I generate a random number, say 5 digits.
2- I output the number to the user, and tell users to enter this number in a form text input.
3- The number is also put into a hidden input.
4- User presses “send” button.
5- I use ajax to call a php file called send_tip.php, and I fetch the value of the hidden input, and compare it to the text-input the user entered, and see if they match, and then send the email.

Nothing is ever safe enough, but is the above enough for a classifieds website?

Thanks

UPDATE:

6- I add a table to mysql, which records ip adresses of the user who sends email, and if it exceeds more than say 3 emails per minute AND 30 emails per day, I stop them… Although then maybe just the email is enough, and I should skip the first steps with the random number? What do you think?