I'm getting the same basic signature that Bradleyhu posted with lots of randomish gibbersh words. It all started about 24 hours ago.
I've poured through my server logs and every time the IP address comes in directly with a HTTP POST to wp-comments-post.php.
18.104.22.168 - - [17/Mar/2011:15:49:39 -0700] "POST /blog/wp-comments-post.php HTTP/1.1" 302 854 "http://www.foobert.com/blog/2009/09/09/oshkosh-trip-day-7?replytocom=5147" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Of particular note is that they are getting code HTTP status 302, and not 200 as I'd expect.
They are not human posts since they are never accessing the page to fetch the captha image. Thus, unless it's some massive distributed bot that's sharing session context between clients (highly unlikely), there is a vulnerability in the si-captcha that is being exploited.
I'm getting hits at a rate of 1-2 times per hour, so, I may try to capture some packet traces to see if I can figure out what they are actually submitting.
Anyone interested in the packet log?