Form submit protection using unique IDs, what's the point?

[vineld]

I have seen the following suggestion in several locations on the internet which is supposed to protect you against some attacks.

 

1. Generate a unique id that is stored as a session variable

2. Store the id in a hidden form field

3. When submitted check that the id is correct

 

This will indeed prevent people from submitting fake post requests but I am still able to let a bot script post the form itself a thousand times so what is really the point of this?

[jonsjava]

Quite a few bots will scrape a website (rather than download it every time) for forms, and store the form variables in a database.  It will then just submit to it constantly, with the same form fields every time.  The method you mentioned stops this type of attack.  I usually just add a select field with "I'm a spammer" as the default.  If they submit with that, they are spammers. So helpful of them to tell you who they are. 

[vineld]

Quite a few bots will scrape a website (rather than download it every time) for forms, and store the form variables in a database.  It will then just submit to it constantly, with the same form fields every time.  The method you mentioned stops this type of attack.  I usually just add a select field with "I'm a spammer" as the default.  If they submit with that, they are spammers. So helpful of them to tell you who they are.

 

Is that really common these days? Have you tracked any stats on how many you've encountered? Why don't they just use a proper submit script instead when it's just as easy? Of course it consumes more resources but that shouldn't be a huge problem...