That bit of code you presented only prevents them from calling the forms via the GET method. It sounds like maybe they have created a form that manipulates the REFERER variable and allows for submissions. There really isn't an easy way to fix this, but it's been requested to have some sort of timer on posting so this is something I've been trying to figure out how to work this one.
Right now it's necessary to ban the IP. This feature should work, but it might be necessary to upgrade.