I Win, Spammers: WordPress Comment Spam Advice
Amazingly, turning off comments within WordPress (setting wp_posts.comment_status to “closed” in the database) only affects the display of the comment form. Comments can still be submitted if the commentor or bot knows the comment URL and the correct parameters to submit.
So to totally fool WordPress spammers, do this:
1) Change the filename of wp-comments-post.php to something_spammers_dont_expect.php (or something more creative)
2) Alter the “action” value of the form tag in comments.php to point to whatever new filename you came up with in step #1.
Now all those bots can eat this: 404 Not Found.
Comments are open again on the site. 
Note: you also might need to change the filename of wp-trackback.php… those damn bots were backdooring me through that too!