A way to prevent off-site form submissions?

you can do this by testing the HTTP_REFERER and REQUEST_METHOD server variables and returning a 403 Forbidden status code response if you don't like what you see.

Block unauthorized form posts:
http://www.webmasterworld.com/forum92/1147.htm#msg1521479 [webmasterworld.com]

HTTP Referrers are unreliable; They can be spoofed, and they can be suppressed by caching proxies used in corporate and ISP networks. Therefore, the Referer header will be missing a good deal of the time, leaving you with insufficient information to make a decision. Further, a submission 'bot could copy one of your valid page URLs and use it to spoof a valid referrer.

As with anti-hotlinking, a better method is to set a cookie on an "authorizing" page --say the one with the form on it-- and then check that cookie before actually accepting the form submission. Further, it would be advisable to check that the visitor's browser is configured to accept cookies prior to presenting the form, and if not, inform him/her that a acceptance of a short-lived or session cookie is required.

Then if a form is submitted with no cookie, you can simply pretend to accept it, and discard the submission.

Cookies can be checked using mod_rewrite or server-side scripting on any Apache version. Cookies can be set using mod_rewrite on Apache 2 or later, or with a script on any Apache version.

Jim

Thank you both very much, that was extremely helpful.