Back in the dot com boom I spent a few months working for a company that scraped sites that had logins so that one could store all of them in one place and only have to register once. Many sites welcomed it because it got them new members. Some didn't and took counter-measures. Changing the form elements, moving the locations of the forms or changing the required cookies all played havoc on our application. The most effective weapon was sites that simply blocked our IP address.

As for cookies and HTTP_REFERERs and the like, just because something that you do can be hacked doesn't mean that you should assume that they have hacked it and not check for it. This gives them the luxery of not even having to hack it in the first place.

Generally, what these guys are doing isn't rocket science. Changing things even a little bit will throw a big spanner into their works. Making sure that your form validator confirms that EVERYTHING is as it should be will also be a big plus.

()-()
 \"/
  `