Email spamming

So I’ve got this old client of mine who just recently calls me up because he’s getting junk email sent to him. Here is the premise. I set him up a form on his site for people to contact him. I just used a basic cgi formmail service that comes along with his webhost. The forms variables are being sent to his domain email address. The only place the address shows up in the code, is in a hidden field. Is it possible that his email address was harvested that way? I thought only mailto: addresses would get snatched.
Anyway to fix this? Besides using suck spam filters, that are coincidentally offered by the host for a fee. Should I just delete the email on the server, and create a different one for him? I’m just confused as to how all of a sudden the spam starts piling on him. Any insight is greatly appreciated.