The spam protection (Humanizer) I've placed on the ESMS forum didn't really work - bots still sipped through. I think this is because Humanizer is a "known" plugin, and is very easy to circumvent. So the best way is to go for unfamiliar plugins, or better yet, invent spam challenges of my own. No self-respecting penis enlargement advertiser will specifically target my meager blog and forum which attract, at best, a few hundred of readers each month.
So I've added a challenge question to comments in this blog, using the Challenge plugin - it asks the reader to write the number 4 into a box. I think no bot knows how to infer that, for now... And so far it works. I added the same to the forum registration form, which also works for now. If bots target this specific question I can always change the "task" or the wording. In the blog this prevents spam comments, but doesn't prevent spam trackbacks. Disabling trackbacks doesn't help because it only applies to new posts, while bots merrily trackback older posts too. So, taking into account that trackbacks aren't really that popular or essential, I simply removed the option to post *any* trackbacks to the blog, by crudely renaming thetrackback.php
file on the server.