I totally forgot to mention, this thing sends probes using a web browser user agent (Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0) and an ActivityPub content type (application/activity+json). This will never be done by a legitimate instance, and is another way to reliably detect malicious requests.
