I have done some more logging (because POSTs are not logged as standard) and all the reads of signup.php are followed by a POST and then by an attempt later to login to the account that might have been created. The signups fail because we have one extra question which is mandatory but does not have a default answer. (It's a medical site and we need to know doctor, nurse, care worker, etc.)
I have added a JavaScript line to send any genuine users to a differently named handler (for signup and login). The standard handler now just replies "INVALID" if it gets a POST. Hopefully two hurdles will keep them at bay (until they start running JavaScript).
Since we get users from all over the world, I cannot do any geographic or email restrictions. The email addresses they use look genuine as well.
Anyone know what happens if they get into an account?
Peter