However, based on a “behavior log” that I added, I’m also convinced that some of the spams are not from bots. Here’s why.

I logged (in the past 8 hours) 8 additional spam comments and two legitimate comments. Removing those from the log and I see four comments that were made without clicking the checkbox (could be bot behavior, or users that didn’t read the screen). I logged 7 calls that went direct to the comment page, meaning they didn’t attempt to read the content, they just tried to post a comment. Those are either bots or humans following a script. In any case, those comments were automatically rejected via a method that I won’t reveal at this time. Your comment about the time stamp value is certainly valid; see below for details.

The 8 comments that went through and were caught by Askimet were posted at:

Successful comment processed on 2006-11-22 03:37:16
Successful comment processed on 2006-11-22 03:38:07
Successful comment processed on 2006-11-22 04:48:36
Successful comment processed on 2006-11-22 04:48:54
Successful comment processed on 2006-11-22 06:21:55
Successful comment processed on 2006-11-22 06:22:18
Successful comment processed on 2006-11-22 07:28:45
Successful comment processed on 2006-11-22 07:29:04

The two comments that you (damnian) posted were:

Successful comment processed on 2006-11-22 07:38:16
Successful comment processed on 2006-11-22 07:41:59

First, notice that the spam comments came in pairs? So did yours. Next, notice the time differential between the two comments? They are 51, 18, 23, and 19 seconds for the first 8, and 3:43 for the two valid comments that you made. The trick here is that you can’t identify the first comment as spam until the second one is made, rigtht? So if they change user accounts or anything else between the two comments (I have not researched that yet) it would be tough to identify them as spammers.

I am more hopeful than I was last night. I blocked 7 spam comments straight out; no question they were spam. Of the 10 comments that were made, 8 were blocked correctly by Askimet and the other two were real. And there were 6 comments made that were either bots (I hope) or by users not smart enough to click the checkbox; I can live with that.

I have added more details to the log I am capturing, it will be interesting to analyze the patterns over time.

Another option you as a WordPress user have is to limit comments to registered users. Similar to phpBB, but a real turnoff for legitimate to-be commenters.

So what does this tell me?

It says that there is either a hole in Wordpress (hope not) or there is a problem with my code (don’t think so, it’s really quite simple) or the spammers are actually human, and capable of handling different screens. I have to say, I really hope it’s not humans. What a sad lot in life they must have, spamming blog after blog and feeling the karma of the universe bearing down on them.

It also suggests to me that it’s not really worth trying to set up some sort of graphical CAPTCHA as the humans would likely get through that as well. Next step? Maybe a bit more devious control, in case the bot is smart enough to capture and react to a simple checkbox on the form. But that’s a project for another night.