How spamers avoid comment form!?

It is not comment spam, but trackback spam. Use the search engine and you will know what to do.

Does that mean that wp has security hole allowing spammers to post without using the comment form?

It’s not a security hole. It’s a trackback. That’s supposed to be there.

Captchas don’t stop spam, and not all spam comes through a “form”. There’s three entirely different ways to post “things that kinda look like comments” on WordPress, and they’re all supposed to be there. Two of them are specifically for automated systems.

https://www.homelandstupidity.us/software/bad-behavior/
https://akismet.com/

Install and use these plugins. Poof!
Spam? Gone.
Captcha? Unnecessary.

Sorry I did not mentioned that I’m using “Trackback validator”. It is very good on stopping trackback comments.
Of course I know Akismet and Spam Karma 2. I used them before installing TruBar.

So-o-o… The investigation developed and I got some results.
This topic is not about using or not using captha.
It is not about which plugin to use for stopping SPAM.
It is about weakness in WordPress, allowing spammers to avoid the comment form.

Yes, in my case the comment form, which POST the comment was bypassed.
I found it out when a comment was inserted without generating image (generated security images in TruBar are recorded in the DB).

After I discovered that, I did some research in the Internet and found this code:

if(!isset($_SERVER['HTTP_USER_AGENT'])){
die("Forbidden - This page is for normal browsers only");
exit;
}
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
wp_die("Forbidden - You can post from my form only!");
exit;
}
// Host names from where the form is authorized
// to be posted from:
$authHosts = array("yourdomain.com", "yourotherdomain");
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){
wp_die("Forbidden - No, No, No!");
exit;
}
// Attempt to defend against header injections:
$badStrings = array(
"spamword1",
"spamword2",
"spamword3");
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
wp_die("Forbidden - You have used BAD SPAM words! Clean your language and come back again.");
exit;
}
}
}
// free up used memory
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

After I inserted it in wp-comments-post.php the “clever spam” stopped ??

Next step is to make TruBar intelligent enough to know on which comment to appear ??

Thank you for your answers.
My answer is: You don’t need heavy anti-spam plugins.
TruBar is only 6KB and stops all the SPAM.

P.S. TruBar is not released and I’m not sure if I’ll ever release it. DO NOT ask me for it.

The above “fix” does not stop spam robots in avoiding the comment form.
The problem still persist.