All of a sudden, I started to get new form submissions every 3 min. The resulted in 100's of bogus form submissions. I tracked this down (eventually) to the following.
The hacker was requestiing the page with the form along with POST data for the form. The POST data passed the gravity forms filters. That is, it contained legal but BS data - basically links to his websites. He doesn't do it by actually opening the form and pressing the submit button - but rather emulating what happens when a user presses he submit button.
Soooo - where is he best place to trap this? I can require that the use be a registered user - but I don't know which hook to use? It seems that some hooks are invoked before the form is submitted. If I trap it on "post_submission" it's already too late as the post has been created?
Any help appreciated.