rocknbil - 5:39 pm on Feb 10, 2011 (gmt 0)
Actually . . . they don't (rely on obscure file names,) not really. What it does starts from the most basic concepts: know thy enemy. It begins with the second link, logging input from your forms to see what they are up to.
You have to keep in mind that most of these are automated. All they need to do is find "contact" or "contact us" on your page. This will lead them to your form, whatever it's named. You can arbitrarily change the file name, they will still find you.
Once they do that, they only need to find the form action. Then they need never visit your page. The automated bot is them pointed at it, set it and forget it. The bot assesses what fields are used, which are required, through several automated queries to the form processor (I have seen this in action, see logging, above.) Once it does that, it's ready to start hammering your scripts.
They are sneaky, too - they will hit you for a week or so, then go away, letting you think whatever action you took to stop them worked. Then at some random interval they will return again.
Part 2 of know thy enemy: if you use a legible logging routine for your forms, certain patterns will start to form. Nearly all of these attacks will come in the forms I mentioned in those links.
Some other ploys that may or may not provide some form of relief:
Empty hidden field: Put a hidden field with an empty value in it. Bots will populate all fields, if this field has a value, stop the script.
SIMPLE challenge/response: Easier than dreaded CAPTCHA, ask "what is three plus five?" and set your script to accept EITHER a case-insensitive eight or 8. Change it as often as you need. I've only had to do this in CMS's that won't allow me to filter input.
Dynamic field generation: Have your script dynamically generate the field names. This will also provide only a temporary relief, bots are fairly wise to it.
Many of these may work permanently, many of them provide only sporadic or temporary relief, but it all comes back to Selena Sol's timeless quote:
Every user input is a potential hack. Every user input is a potential hack. Every user input is a potential hack.
The first job is to accept only the input you want, and throw everything else away. Then you can apply filters to see if someone's up to no good. This works. :-)