The comments module does not have any form of spam protection currently.
This is no longer a nice to have feature but an absolute must.
There are three possible protection scenarios:
1. make sure that the form is submitted from the current page/session.
2. add simple captcha/tripwires/etc to make sure that a human is posting it
3. filter submitted messages through a spam filter
Not all three strategies need to be deployed. For example, I don't like to fill in captchas, as they get in the
way of adding content to a site. So I prefer other means of protection against machines.
For (1) we can make a crsf protection by mixing some id into the postback message.
For (2) we can have a combined strategy of tripwires (for example false non-user-viewable input elements
that mimic a wordpress comment form) and maye a simple captcha implementation (note that quite a lot of
captchas are already broken, so this only gives limited protection).
For (3) we can add rules and maybe a hook to a service like Akismet.
See also http://codex.wordpress.org/Combating_Comment_Spam
Commented on Google Code by *profile.url***
Arjan, my vote is for a non-captcha implementation. Something with CSRF and Akismet would probably work
well. But I would also like to have the option to moderate comments via the admin.
Commented on Google Code by *d...@mac.com***
See also #967