You need to modify the code that processes the search to sense and block invalid attempts.
You could do this by looking for a valid session number, or even a session variable that is created by the page that contains the search form. You might also try a hidden field for the search form, although that is not always effective. (There are automated ways to ‘read’ a form and get the field names and the submit page. And then there are ‘headless browsers’ that can simulate a browser request.)
I’ve had some success with some JS code that changes the form’s ‘action’ value after a delay that is initiated with a ‘focus’ or ‘click’ event on the search form field. But there are ways for even a ‘headless browser’ to process JS code.
It takes a bit of effort for a spammer to customize an ‘attack’ on any form. So some basic precautions as noted above might give you three or four ‘nines’ (99.9%) protection, although perhaps not foolproof.
Blocking by IP address is not usually effective, as it is easy to use a VPN to change an IP address. And there are add-ins for headless browsers that know about IP blocking lists.