On a client site we kept getting the following message where it appeared a client could somehow directly access the captcha URL without posting any *required* data:
URL: http://www.domain.com/captcha/refresh/ IP Address: 220.127.116.11 Time: 2013-04-17 08:19:56 GMT Error: formId is mandatory
A quick edit of
/app/code/core/Mage/Captcha/controllers/RefreshController.php just after line 44 and adding a check on the posted value "formId" as such should prevent the error:
if (empty($formId)) return false;
Now any direct query to the
/captcha/refresh/ will not generate an error e-mail.