Hey @Carcraftz! We had a similar issue, and we resolved it with Cloudflare.
First, in Glitch, log the request headers and IPs. Then you can block those in Cloudflare settings. However, you will need to force people to go through your Cloudflare domain. This is how we did it:
(note: you will need a custom domain, and you will need to get Cloudflare workers, which is $5/month.
- add something random to the Glitch app name so people can’t guess it
- get a Glitch staff to remove all custom domains from that project
- create a fly.io app and add the Glitch app as a backend. Point the custom domain to the fly.io app.
- create a Cloudflare worker to add a http request header to all requests. The value should be something long and unguessable.
- In the fly.io backend settings, make it check for that header. That way, if the header is not present (the request is not from Cloudflare), they will not reach the Glitch app
- In Cloudflare, block the IPs and/or user agents (if the user agent is a non-browser agent, such as python-requests or curl)
This should force all requests to go through Cloudflare, and you can then block the spam.
Hopefully this helps 
- Advaith