But if a session id is provided ala php (done some php programming myself) all you have to do is enter the code once on the first download, then setup your bot, and viola - tons of bogus downloads. Once the session id is provided it remains until it's scheduled to time out or as long as the bot stays online generating hits.
So you either have to ask for anti bot verification every time, or at random intervals, but the intervals have to be short enough that they become annoying to the average user or a bot could very easily generate hundreds of phony downloads before it is stopped.