All this worked pretty well, until about six weeks ago. A spam attack started that was much more aggressive than normal. Defensio still caught about 95% of the hundreds of spam comments and posts that appeared every day, but that still left quite a few that made it through the filter.

Spambots were creating new accounts on the site at the rate of 500 a day or more. There were hundreds o spam posts per day, and enough would get through to require me to check the front page of the site a couple of times a day. I started searching the Drupal forums for tips on fighting this plague.

Finally I found a Drupal module called spamicide, which prevents automated account creation by tricking the bots to act differently than humans - sort of like captcha tries to do. So far, this has been the most effective spam prevention module I've seen yet. In the few days it's been in place, it's prevented hundreds of new accounts from being created, and spam posts have dropped to zero.

After spamicide blocked the creation of new spam accounts, I cleaned up the user table to remove all the old accounts. This is necessary because the bots apparently remember all the old account names and use whichever ones are still active. Once I got them all, there has been no new spam.

Spammers might eventually adjust their software to get around this approach, but the Spamicide module is being actively maintained, and it looks like they may make close some loopholes in the near future.

If spam is a problem for your Drupal site, I would suggest trying spamicide!