Include the code below in your settings.php file. This will replace the paths on your site that contain "user" with "users". This prevented the spam for me.
function custom_url_rewrite_outbound(&$path, &$options, $original_path) {
if (preg_match('|^admin(?![^/])(.*)|', $path, $matches)) {
$path = 'user'. $matches[1];
}
}
function custom_url_rewrite_inbound(&$result, $path, $path_language) {
if (preg_match('|^backend(?![^/])(.*)|', $path, $matches)) {
$result = 'users'. $matches[1];
}
if (preg_match('|^admin(?![^/])(.*)|', $path, $matches)) {
$result = '404'. $matches[1];
}
}