400, Bad Request errors since upgrading to v4.20

Been getting a lot of Bad Request errors in my log since upgrading.   For example, from the login page.  But it's not all the time.   I can login/logout repeatedly and not see this error.  But each day I look at my log I'll see 20 or 30 of them.   Also, it's not always the login page.  Sometimes it's one of my blog pages that will be listed as the PageURL  .

Any ideas? (example below)

Log level  
Error
Short message  
Error 400. Bad request
Full message  
IP address  
134.119.216.167
Customer  Guest
Page URL  
http://www.roadlessgear.com/login
Referrer URL  
http://www.roadlessgear.com
Created on  
2/21/2020 8:55:07 AM

Any Full error message?

No.   The text above is the complete information displayed in nopCommerce error log.

Looking at each one, the error seems to always be one of three pages.   The login page (per my original message) or one of two different blog pages.

What is odd is that these are really old blog posts from back in 2012.  So it's not like customers are hitting those pages on a regular basis.   I'd be shocked to learn that ANYBODY is actually visiting those pages today.   Much less, several times a day.

And I can visit those pages and it does not generate an error log entry when I do.  Just like I can login without generating any errors.

I bet it's a bot trying to create an account to leave comment spam in your blog:
https://www.projecthoneypot.org/ip_134.119.216.167

I suspected as much.   but why the 400 error?    shouldn't a bot just fail the login check like anybody else with the wrong password?

they're sending in form data that NopCommerce doesn't handle, it's a malformed request from the client

The problem also started on our website after upgrading to 4.20 and continues on 4.30. This is has occurred for Web Admins so I don't believe its always a random bot. Each of the errors always contains the %2F value in the login URL e.g.  /login?returnUrl=%2F or /login?returnUrl=%2Fdsg-arms
So my question or concern is it supposed to have the / %2F value prefix on the returnUrl?
I plan to open a support case with NopCommerce team as I'm getting hundreds of these and I'm sure they are impacting my customers in some capacity.

It could be guests/bots trying to access your Admin and getting redirected to the login page because they're unauthorized, though I'm not sure if that would trigger a 400 before the redirect, but there is a setting to restrict the Admin to an IP (if the local IP for the business is static).

Also a few threads to check regarding the %2f:

ACL for guests: https://www.nopcommerce.com/en/boards/topic/40348/on-every-click-on-page-first-ask-to-login

permissions? https://www.nopcommerce.com/en/boards/topic/13927/homepage-redirect-me-to-loginreturnurl2f-error

authentication? https://www.nopcommerce.com/en/boards/topic/57466/redirect-to-loginreturnurl-2f

HI THERE
We are using versin 4.2 and also getting these errors.
Its not a bot tryoing to log in as we can replaicate it when we try to log in.

after entering username and password to log into the site the page doesnt load and we get the error

Error 400. Bad request
https://www.website/login?returnurl=%2Fcart
Referrer URL
https://www.website.co.uk/

This will affect customers.

if you refresh the login page and reenter your details then it lets you log in. but customers wil probably not do this...