did I post this in the wrong section? Any suggestions at all :)

Unfortunately, without some programming knowledge, you are likely going to have a hard time.

If the user-agent is the same every time AND that user-agent is NOT a normal user-agent, then there are a couple of not too difficult ways to block based on the user-agent. However, if the user-agent is one of the common user-agents used by regular visitors, then can't block based on the user-agent.

With a little bit of programming knowledge, you could setup a CAPTCHA to stop this fairly quickly.

I was having the same bots submitting to my contact forms regularly. My solution was to change the field variable names to something non-common and then reject form submissions without the required fields filled in correctly. This almost completly stopped the bots.

You could change the add url form to something like submit site. It would take a tiny bit of coding but it would stop it until the next time a human saw what you did and changed the bot.

Captcha would be your best bet and it's not that hard to add.

You could change the add url form to something like submit site. It would take a tiny bit of coding but it would stop it until the next time a human saw what you did and changed the bot.

This won't work. The bots hit the main page and then follow URLs from there and hit any forms they see on subsequent pages. Typically they request around 10 pages so that they can fly under the radar.

It really appears to me that this is the work of zombie bot nets.

The bots hit the main page and then follow URLs from there and hit any forms they see on subsequent pages. Typically they request around 10 pages so that they can fly under the radar.

It really appears to me that this is the work of zombie bot nets.

This seems like exactly what happened. Looking at the logs, it looks like the spambot requested a few pages, found a form and then came back to just that form, over and over and over again.

When I traced the IP, it looks like it comes from a dedicated server (or servers).

With a little bit of programming knowledge, you could setup a CAPTCHA to stop this fairly quickly.

I think "little bit" might describe the depth of my programming knowledge :)

I can install and edit an off-the-shelf php script. I can sometimes find a problem in the script and edit it to do what I want (missing escape, add an extra line of code)

I think a captcha might be the way to go. I've found a little captcha script that says it can be installed on an existing PHP script, so I might try that out.

The best solution I found is to check HTTP_REFERER. If it is not that of the form page hosted on my site, then just don't allow submission.

Along with HTTP_REFERER I also use a random value that is stored in:
1. session variable
2. hidden field in the form
On the next page both are compared to verify.

Along with HTTP_REFERER I also use a random value that is stored in:
1. session variable
2. hidden field in the form
On the next page both are compared to verify.

Any PHP code you can share that would accomplish this?

If IP addresses are changing then it is a good thing for you to catch the bot.

On the form page store the IP address in session and a hidden field. On the save page compare the current IP address with session.

If session IP is empty that means there is direct submission to save page or session expired. Don't save to db and show error and link to go back to form and attempt again.

If there is ip in session but it does not match current ip on save page, that means IPs are changing, you know its a bot.

IP in hidden field is additional verification.

All 3 need to match.

I don't have PHP code, but here is some ASP code:

Dim strHttp_Referer
strHttp_Referer = LCase(Trim(Request.ServerVariables("HTTP_REFERER")))
If strHttp_Referer = "" Then'Empty Http_Referer. It should have been my form page url.
Session("banned") = "yes" ' does not allow any future activity for this session
RecordIP() 'Stores IP address for violation check admin
Response.End
ElseIf Len(strHttp_Referer) < 30 Then'Too less length. Length of my form page url is 34 (including www.)
Session("banned") = "yes" ' does not allow any future activity for this session
RecordIP() 'Stores IP address for violation check admin
Response.End
ElseIf InStr(1, strHttp_Referer, "http://www.mysite.com/", 1) = 0 Then'Referer url does not contain my domain name, has to be external file.
Session("banned") = "yes" ' does not allow any future activity for this session
RecordIP() 'Stores IP address for violation check admin
Response.End
End If

Finally, do not allow submissions from:
1. Known spamming IP addresses
2. Unknown User agents
3. Known Search engine User agents
4. Empty User agent
5. Bots that can not store cookies/session. It takes some efforts to build such a bot.

When you find a violation, store info in session and cookies and use them as far as they take you to minimize some of the attack. Also store IP address but do not ban in without verifying that it is indeed a spammer IP.

You should have bit of a secure system. Never dream of 100% security on the Web.

ASP code for the random:

=============
Form page:
=============
<%
Dim SecureRnd
if IsEmpty(Session("securnd")) or Session("securnd") = "" then
Randomize
SecureRnd = (14 * Rnd) + 1
Session("securnd") = CStr(SecureRnd)
else
SecureRnd = Session("securnd")
end if
%>
<input type="hidden" value="<%=SecureRnd%>" name="hsecurnd">

=============
Form Save Page:
=============
<%
SecureRnd = Request.Form("hsecurnd")
if IsEmpty(Session("securnd")) or Session("securnd") = "" then
ErrSession(1) 'Session empty. Do not allow submission. Show error message and link back to form to retry
Response.End
elseif Session("securnd") <> Request.Form("hsecurnd") then
ErrSession(2) 'Session and hidden field do not match. Do not allow submission. Show error message and link back to form to retry
Response.End
end if
%>