The fact is, comment and trackback spam are workable DOS attacks now.

Suggestion: Tiny lightweight wrappers that can do basic throttling/blacklisting, possibly written in C, which call the real scripts only when system load is lower.

My solution has been use a plugin (MTAutoBan) to ban IP addresses of repeat offenders at the Apache level via a .htaccess file. With a good set of filters, the attacks get throttled reasonably effectively and for an extended period. I just got hit twice in the last week with 2000+ junk trackbacks over the course of 1-2 days. I didn't notice any ill effects and legitimate trackbacks came through the storm.

I am working on another technique, modifying the trackback API so that it takes an entry basename instead of a numeric ID. Hopefully this will put a stop to "rolling ID" attacks.