I guess it had to happen. Until this weekend there had only ever been one comment spam on this site since it first went up in 2006 — I guess this is an advantage of writing your own web site and blogging software. Clearly somebody thinks this site is now important enough to have customised some attack software, or they had something flexible enough that it could handle the registration process.
In any case, the site is no longer safe, so the question is which is more damaging? The appearance of spam, or the extra hoops that people will have to go through to be able to post here? At the moment I'm stopping the spam and I'm doing this by not giving new registrations permission to post. This is not really how I want to do it, but any other mechanism is going to require me to work out a better procedure.
What I probably want to do is to allow new registrations to post, but not to allow those posts to appear in public until I've vetted the account. This isn't perfect (somebody could post a sensible comment and then start to spam), but it should work well enough without causing much more of an inconvenience to real users. The only problem with this mechanism is I don't know when I'll have time to enact it.