Banning all URLs from all or even specific fields is unadvisable as it'd break the site. Remember that from the server's point of view there's no such thing as a "form". There's only data sent by GET or POST (or PUT, but PHP lumps that with POST data). Also, since this kind of rule would apply at the web server level, before Joomla loads, there'd be no way to tell if there's a logged in user or not. This means that anything that requires a URL, even articles, would be broken.
Now, you may wonder, why would banning URLs for a specific field be problematic? Because the field name is not guaranteed to be unique.
Moreover, writing that .htaccess rule would be a real pig since there's no good way to distinguish URLs and domain names (which is what you're really interested in!) over run together words. For example, akeeba.rocks is an honest to God domain name I have bought. Someone who can't be bothered spelling could also very plausibly write "i love your software akeeba.rocks man!" (which is an actual message I have received in the contact form and explains how I ended up snatching that domain name, hehe). So how can you tell them apart? You can't. You'd end up banning any two words separated with a comma.
I think that this approach is wrong. Most spam I've come across has specific keywords which are extremely unlikely to be used by our legitimate users. I also don't care if a spam contact form is stored in the database (it will be removed in 6 months anyway), I only care I don't receive it by email. Mail servers and mail clients are really good at figuring out which one of these are spam. I just have to check my spam every week or so for the occasional false positive.
Beyond that, other things which help with contact form spam are: CAPTCHAs (they can be beaten but it's more involved), Project Honeypot (there's integration for it in Admin Tools) and if the contact form software supports it Akismet (which is an extra paid service, well worth its money for reducing spam). In case you're wondering, the reason we can't implement Akismet integration in Admin Tools is the same reason you can't ban URLs in all form fields: you can't really know which fields come from forms and every request to Akismet costs you in page load time.
I hope that helps.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
English: native