How can comments be submitted when I don’t have a comment box on a page?

I’ve blocked access to xmlrcp, and removed most everything that is generated in wp_head. However, I’m still getting notifications in the admin about comments being posted on posts even when there is no form on that page. How is this possible?

I’m thinking that this below would work:

// Remove comment support
add_action( 'init', function() {
        remove_post_type_support( 'page', 'comments' );
        remove_post_type_support( 'post', 'comments' );

});
// Close open comments
add_filter( 'comments_open', function( $open, $post_id ) {
    $post = get_post( $post_id );
    if ( 'page' == $post->post_type || 'post' == $post->post_type  )
        $open = false;
    return $open;
}, 10, 2 );

However, whether the above works or not, I’m still wondering how someone/ or a spam bot is able to post a comment when there is no form or anything on the page.

The visual representation of a comment form (or lack of it) do not have any impact on the ability to receive comments, and spammers usually don’t care at all what is in your form. WordPress have a well publicized end point to which all comments are being sent (and while I don’t remember the detail off the top of my head right now) and spammers can post to that endpoint with enough details to make a proper comment, without even loading the post to which they comment to.

One of the easy antispam steps against lazy spammers is to add an hidden field to the comment form and discard every comment which is submitted without it.