Spam on webform attachments

Google sent an automated warning that civicrm.org was having spam content. (notification forwarded by @josh)

Example URL:

http://civicrm.org/sites/civicrm.org/files/webform/%D0%94%D0%BE%D0%BC%202.%20Lite.%20%D0%A0%D0%B5%D0%B0%D0%BB%D0%B8%D1%82%D0%B8-%D1%88%D0%BE%D1%83%2019%2005%202017-9828900-49.html

Seems to be via this form:

https://civicrm.org/civicon/st-louis-2017/submit-session

(according to the server logs, since it's still being spam lived)

$ ls -la -- *.html | wc -l
21924