I just heard that the good people at StopForumSpam.com believe that the method I use of determining the IP address of a user is not reliable. I have no other way of determining IP addresses. A great many wordpress installations will set _SERVER["REMOTE_ADDR"] to localhost, their internal network ip, a VPN ip, a Proxy Server IP, their hosting company's IP or CloudFlare's ip. I cannot trust the IP addresses, and cannot test them against Stop Forum Spam's database.
I white-list the ip addresses of several common services that do call backs to websites. If these ip addresses can be spoofed there is no way to reliably stop spam by IP address.
I am removing all IP checks from the plugin and I will rely on the other methods that I've come up with for detecting robots. None were as effective as SFS, but they are better than nothing.
I will optionally be doing a compare to the IP address reported by the web server and the ip address reported my the meta data from the request and if they are different I will assume that the user cannot be trusted and will deny them access. This makes the plugin useless to people on proxies when this option is enabled. Many people legitimately rely on proxies to use the internet.
This information makes IP whitelists, blacklists, and services like StopForumSpam nearly useless as a way of blocking spam without blocking many legitimate users.
It could be that the spammers have won.