Well, I adjusted some of the plugin code over the weekend. The comments’ data (name, e-mail, url, content) isn’t stored in the database anymore but embedded in the CAPTCHA form as a collection of hidden fields. As I don’t want to store the data clientside (cookies and the likes) this seems to be the best way out. The comment is saved only if the CAPTCHA test was succesfully completed.
A particular issue I face are special characters like backslashes, quotes,… things you might encounter in URL’s and such. Luckily, WordPress is quite flexible as it takes this into account during the process of saving a comment in the database. The issue I have to focus on is not breaking the HTML CAPTCHA form itself. This will probably need some extensive testing.
The new version is already protecting this blog against comment spam. If everything goes well, the moderation queue should stay empty of unprocessable spam. In fact, it changes the usage of the queue entirely: instead of an indispensable tool, it becomes an optional means to teach Mollom if a message contains spam, profanity,… You don’t need to use it, but it allows you to correct Mollom in those few cases that may slip through.
Next up: implement functionality against trackback spam. I hope to get that part finished near the end of next week so I can put out a new betaversion of the plugin.