Okay, I think I've collected my thoughts here. Meanwhile, the comment code is back to where it was a few days ago - nobody will be blocked, including the spammers. I've now got three options for how to proceed, and I'd like everyone's opinion as to what might work best.
- Whitelisting/Moderation - I could automatically allow comments with URLs I recognize, since it's generally the same half dozen people commenting here. The ones that don't comment with URLs wouldn't get the benefit of whitelisting, but wouldn't be automatically blocked. And if the spammers used a whitelisted URL, they'd really lose the benefit of having their link on my blog, so what's the point? Comments not whitelisted would be flagged, and I'd have to approve them manually before they'd show up. This is a paint, cause I'd need to add a row to the comments table in my database, and write up a new admin screen for myself.
- Stupid Questions - This is like I said before. "What color is the sky?", "What is one plus four?", "Type the letter z three times", et cetera. The downside is that it's annoying for the user.
- Unique Key - This was something I thought up - a variant on the failed fix I tried yesterday. Yesterday's fix involved session variables, which expire quickly. What if for each comment form served, I create a 10-digit unique key and store it in the database, then require a valid key for each comment? Once a key is used, it's deleted, as are any keys more than 2-3 hours old. The intent of this is to prevent bots from submitting to my php script directly without using the form. The downside is that it's a lot of work and creates overhead on the server. That's probably why it's my least favorite of the three.
So which solution do you think is best? Comments work now, so do tell.