A shady botnet was trying to crawl all of the /engageClick urls (used for the random thumbnails). But they're randomly generated and never end, so it ends up looping and hammering the ajax endpoint 10 times a second. Not enough to be a DDoS, but it was >100k different IP addresses from third world mobile providers and it ran the analytics to the moon which is annoying to look at. I figured out a filtering method that works for now.

This is hot on the heels of a bot successfully posting a comment here for the first time in many years (it spammed a bunch of quote escape attempts). The javascript post system filters out most bots but there's a growing trend of using headless browsers that execute javascript. This is especially stupid when kiddies dump a huge list of injection attacks into their bot, not realizing that half of them are javascript injections that then execute on their own client so they end up posting "1" thousands of times. You now get auto-banned if you post 1, so don't do that.

Speaker icon is a good idea.