I have next to zero experience in this, but completely agree. Literally 'my first website' I made when I was a kid that had a very basic guestbook that I put together in php (actually it may have even been perl)/mysql got hit with random spam. Everything was something completely custom that I had made and not some package that may have had a common vulnerability - so there was and must still be stuff crawling the web looking for any kind of form to push junk into. In this case it was clearly trying to do some spam 'SEO'/keyword stuffing, because the page would display the static text (I was smart enough to filter out HTML though)...
