Comment on WordPress Comment SPAM by SEO Dave.
Think it’s a session timing issue which should be resolved with a forced refresh (CTRL F5). Can live with this, the nonce number changes, if a user has been on the page a long time or the cache hasn’t refreshed it would cause the “Security check failed” message. The rare user being hit with this is worth removing 99.99% of comment SPAM (barely getting any comment SPAM now).
While researching the issue discovered the HTTP_REFERER check can be easily tripped by opening a URL in a new window/tab or copying and pasting in a browser window. Might have to remove the HTTP_REFERER check in an update if it’s being tripped by real users easily? Will first test how much new SPAM gets through with the feature disabled.