Ok, I have comment moderation but I don't want to waste time deleting crap comments. So I need to do something different to combat it. My assumptions are: most comment spam is automated; the spammers have specific applications that understand common weblog software characteristics; they find pages to spam through Google. Given the first and secons assumptions, I can prevent automated spam by changing the posting url. But in case their tools are configurable on a site by site basis, I need change the url according to some algorithm, such as the current time. So instead of posting to a url like: wordpress/wp-comments-post.php I'll make my forms point to wordpress/wp-comments-post.php/1096063037. I can then check that the post was submitted within a given timeslot.

So, I've made the following change (in green) to my wp-comments.php file:

<form action="<?php echo get_settings('siteurl'); ?>/wp-comments-post.php/<?php _e( time() )?>" method="post" id="commentform">

Then, to validate the time I've added the following to my wp-comments-post.php file:

<?php
require( dirname(__FILE__) . '/wp-config.php' );
if (! empty($_SERVER[‘PATH_INFO’]) && preg_match("!^/([0-9]+)$!", $_SERVER[‘PATH_INFO’], $timeslot_matches) ) {
$timeslot_start = $timeslot_matches[1];
$current_time = time();
if  ($current_time < $timeslot_start || $current_time - $timeslot_start > 3600) { // choose a number of seconds 3600 ==  1 hour
die( __(‘Error: Posting timeslot has expired. ’  ) );
}
}
else {
die( __(‘Error: No timeslot specified.’) );
}
function add_magic_quotes($array) {

So, the form only works within one hour of loading the comments page. It won't defeat a human spammer, but might reduce the amount of automated spam I get. Let's see...