When the client loads the page, the server sends a hash of the timestamp and asks for the client to store it. When the client submits the form, it also sends the stored hash.
This exploits the fact that bots don't usually run javascript or load all resources on a page.
