I noticed last night that most entries here were still set for ‘registered_only’ commenting, so I updated everything to ‘open’. Sure enough I look here this morning and I’ve been spammed once again. I made a silly mistake in the patch I produced a month ago. A regex compare of a blank string against another string always matches resulting in a blank validation code always working. Since the spammers aren’t even sending the code, they’re posts worked fine. It’s fixed now.