We were trying to avoid the use of a captcha; originally believing that our API infrastructure was the target. A captcha did end up being the solution, but is not particularly user friendly, and I was also trying to avoid pulling developers out of bed on Christmas to implement - but we're protected now!