Ah spam bots, how I loathe thee. Yesterday we had an attack of spam bots hitting “POST /wp-comments-post.php” which doesn’t exist.
It doesn’t exist on our WP install as we renamed it (not that it is hard for the spam bots to grok the HTML and start using the new name).
In its place we have a redirect of /wp-comments-post.php to http://localhost, to try to do the LEAST possible work on our servers to deal with these beasts.
The attack was distributed with no repeat IP addresses, so we couldn’t ban the sucker.
The strange similarity on all requests was the user agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)
That has me wondering if the Maxthon IE extension has anything naughty/corrupted in it, or if the spammers just put that in as the user agent.