I have a ASP .Net 2.0 Composite Control that I created at work. It is a simple control used to gather information like name, address, email, phone. We host this form on several different pages throughout our domain. We want to track how much traffic each form gets, so I get the domain from Context.Request.UrlReferrer.Host, and I get the page from Context.Request.UrlReferrer.AbsolutePath. With this information we can track exactly how much traffic each form gets. We noticed today that we have some info in our database that came from one of these forms, but the domain and page are ones we've never heard of before (I know its from code executed on this form because we insert a certain 'created by' parameter for that row in the database). I'm trying to figure out how this is possible? Is it possible for a bot or something to fill out the info on the page, and somehow trick it to think its being referred from a different page? Or is someone actually able to host this form on their site? I'm not a security guru by any means, but both of these seem very unlikely. Does anyone know how something like this might be done? Note: The dll for the control is kept in the /bin folder of our site, not the GAC, if that matters at all. Thanks, Geo

Bots can edit what their referral is and it is very possible the form can be hosted elsewhere.