I guess one more way of preventing hackers from posting attachments using their own forms in your server would be by checking the "HTTP_Referer" field in the WQS. Unless you need to have an attachment control in you home page (so HTTP_Referer not yet set) you can check that the HTTP_Referer is your domain in order to allow attachments (or even the submission of the form). If it is not your domain then you can set the SaveOptions field to prevent the form from saving. I have not tested this but in theory should work :-)
Jake and Peter,
I guess one more way of preventing hackers from posting attachments using their own forms in your server would be by checking the "HTTP_Referer" field in the WQS. Unless you need to have an attachment control in you home page (so HTTP_Referer not yet set) you can check that the HTTP_Referer is your domain in order to allow attachments (or even the submission of the form). If it is not your domain then you can set the SaveOptions field to prevent the form from saving. I have not tested this but in theory should work :-)