Ahh I see where you are going Mike. The catch is, most of the time these attacks are not fully automated, they are typically done manually. That is to say, some dude somewhere found your form and the coded a bot specifically for it. They typically mimic the form using some other application and are not actually using a browser and are not actually surfing your site. They simply POST their data to your action page and bypass the form page altogether (assuming they are not the same page).
In cases like this you can't stop them from finding the page, they already know where it is. To get them to stop, you need to show them they are wasting their time. Change your form notably, rename the page and add some of the hidden form checking I mentioned earlier (hidden field w UUID and a matching session variable) then throw a big ugly error when it fails, like fake a 404 error, this will tell the bot bums that your form is a waste of their efforts and they will stop. -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293348 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4