Well, to expound a bit further, what the bots are looking for is the ability to create a link anywhere on the WWW they can put one. If your Notes section can be used to create a link, you'll want to have some control over who does this and why.
And, to try and answer this:
It's just your basic HTML form with a textarea area. That would not permit HTML, would it?
We may have stumbled onto the answer to your question. No, it's not an SQL injection attack. Yes, apparently, it's simply an HTML-injection attack, as near as I can guess.