Here's a little gotcha that I thought I'd share with the world. I amended my template to use cforms with Captcha Verification to avoid spammers.  I know this works because I've done it on other blogs, but the spam kept coming.

So, I was puzzled and went to look at the HTML source of the posts. Turns out because I'd commented out the PHP of my regular comments form, rather than deleting it completely, the regular form was there in the HTML inside comment braces (as well as the cforms code which wasn't in comment braces).  Now it seems that the spammer webcrawlers just ignore the comment braces, and see the regular form, and post to it and it still works!

So, the answer is don't comment out the regular form in the template, delete it.   It also seems that if a spammer was clever enough to notice  a wordpress site, they could spam it by posting to the regular form URL (which is still there) and bypass the cforms form, which I think explains why you very occasionally get spam on a captcha verified site, or maybe I'm wrong.

Cforms is great, by the way.

Mike