In "General Options," with "Users must be registered and logged in to comment" selected, I'm seeing spams on a daily basis, that are not from the few registered users on the blog. Indeed "Anyone can register" is not checked.
Now, the comment form does not show on blog posts except for the several users who I have administratively registered. So obviously the spammers are not using the form at all. But merely not showing the form isn't enough to enforce the requirement that users be logged in to comment. Is there some good reason that the backend code for handling comments doesn't simply reject any submission from someone who is neither registered nor logged in? Why aren't credentials being enforced?
I get to moderate these spam attempts. So the public isn't seeing them. But it's wasting my time. What's the purpose of this hole being left in the code?