after reading this article: http://www.dvorak.org/blog/?p=2904 i'm now using this rule in .htaccess (in rewrite block above the "?q" rewrite rule [which would override this rule]): # Try to prevent comment spam. Attempts to post comments are 403 if they # aren't coming from within site. This will prevent clients that don't send # referrer from posting comments, but I'm not aware of any modern browser that # does not send a referrer RewriteCond %{HTTP_REFERER} "!^http://(www.)?slaughters.com/.*$" [NC] RewriteCond %{THE_REQUEST} "POST /comment/reply/.*" RewriteRule .* - [F] i believe the domain name can be replaced with a var to make it generic. i'm just not sure if there are cases where a valid client does not send a referrer. i switched from MT to Drupal largely because my site had become a spam repository. i know there are lots of modules that try to prevent spam, but i prefer simplicity where possible. of course, it's probably only a matter of time until spammers spoof headers to circumvent this, but i'm sure it can be tweaked to keep up with the bastards. anyway, this is the anti-spam approach i'm going to use for now. thought there might be more general interest in it.