It seems to me that in the coming years, this kind of approach is going to be the only one that can work in any sensible kind of a way.

The problem is that this works well for services where you expect a certain set of things to be the case, but in the comments, you will expect a set of workstation hosts, and a very small number of server machines (eg. proxies).

It is perhaps worth applying something like bayesian spam analysis or markov chain analysis to decide on the validity of the comment for you, and set a threshold. This would, of course, mean a corpus of spam comments and a corpus of real comments is needed, and that you need to disable your temporary measures, and just delete the comments.

Either that, or, for the moment screen everything before it appears, and file it for your training. The whole thing is a problem, and distrusting people until proven otherwise, however unsavoury this may be in many ways, is probably the only way forward.

I have seen a couple of other ideas to limit spamming, though I suspect they all to some extent fall into the cripple-ourselves category:

1. Greylisting, which my university uses for email spam. Except that relies on “real” mailservers resending messages after ten minutes, which human posters don’t do but spambots could easily do, so really, it’s out.

2. Things like TypeKey or Blogger, where commenters can only leave their URL when they’re already registered in the Blogger or TypeKey databases. Obviously it’s a disadvantage to have to register like that – unless you happen to already have an account, as I found I did when I first tried to comment to a Blogger blog. Blogger blogs let non-registered commenters post as anonymous which is OK. But then again the only URL they seem to allow from comments is the one from the comment to the commenter’s Blogger profile, if it exists, and from there there’s a link to their homepage, so it’s not good enough.
3. PGP signatures required for comments (suggested in Feb, more comments more recently, and there’s a Movable Type plugin for it, it seems) – I like the idea of PGP but have never bothered to get myself a code or whatever it is you get, and assume most people are like me. So it would be likely to limit comments like TypeKey, Blogger and other authentication systems, which would suck.

I sure know I’m sick to death of spam. Currently, every time I look at my blog it’s full of spam that has to be deleted. Sure it only takes five minutes with MT-Blacklist but that’s five minutes too much.

In the meantime, I hope it helps for us to at least be aware that blacklisting and registrations schemes of various sorts, even if they seem the only tenable, immediate option, are chipping away at an originally uncensored and free forum for communication – they aren’t just an inconvenience for blog admins. I know that I’ve missed legitimate emails and have restricted other people’s access to my email address because of a deluge of email spam; I really hope comment spam doesn’t end up explicitly or implicitly shutting down blogs as a channel for speech and discussion.