Well, I thought of something that *should* work but for reasons I can’t quite make out, won’t.
Since we’re dealing with automated processes here, one easy fix is to rename the comments script so the bots can’t just insert that into the URL and spam you. Works great, except if people want to preview their comments. For some reason, the preview button is hard-coded to call “mt-comments.cgi” no matter what you have in mt.cfg or even in ConfigMgr.pm.
So I have had to re-enable the mt-comments.cgi script and _voila_, I have comment spam again.