In my Comments posting earlier this year, I said I had disabled comments on articles on this website to avoid having to deal with spam on another front.
As it turns out, just disabling comments within WordPress wasn’t enough. I was getting hit with more and more spam, all being held for moderation. This was getting to be an annoyance, so I looked into it.
grep on the Apache logs, and searching for the IP address that the spammers hit my site from, I found everything was being POSTed to wp-trackback.php. Simply changing the permissions on this file to 0600 (it was installed from a Debian package, so is root owned) has stopped the onslaught of spam, and doesn’t seem to have affected anything else.