We're now seeing the same spam coming directly from the API (we have no contact form on the site). If this helps with filtering at all, the spam contains a bit.ly URL which resolves to Ali Express clickbait. It would be good for Shopify to close this API so it's not public, as this feels like a clear vector for spam, and instead employ keys for genuine account developers (who are Shopify subscribers) to pass and secure this hole. I'm interested to know what steps Shopify are taking to secure this.
... View more