Index: wp-comments-post.php
===================================================================
--- wp-comments-post.php	(revision 12054)
+++ wp-comments-post.php	(working copy)
@@ -19,6 +19,15 @@
 
 $comment_post_ID = (int) $_POST['comment_post_ID'];
 
+// required for the nonce to work
+$user = wp_get_current_user();
+
+// see comment_form_nonce() in wp-includes/comment.php
+if ( !wp_verify_nonce($_POST['_wpnonce'], "comment_form_{$comment_post_ID}") ) {
+	do_action('comment_nonce_failed', $comment_post_ID);
+	wp_die( __('Sorry, automated comments are not accepted.') );
+}
+
 $status = $wpdb->get_row( $wpdb->prepare("SELECT post_status, comment_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) );
 
 if ( empty($status->comment_status) ) {
@@ -40,7 +49,6 @@
 $comment_content      = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
 
 // If the user is logged in
-$user = wp_get_current_user();
 if ( $user->ID ) {
 	if ( empty( $user->display_name ) )
 		$user->display_name=$user->user_login;
Index: wp-includes/comment.php
===================================================================
--- wp-includes/comment.php	(revision 12054)
+++ wp-includes/comment.php	(working copy)
@@ -1642,4 +1642,13 @@
 	return $open;
 }
 
+/**
+ * Include a nonce in comment forms.
+ */
+function comment_form_nonce($post_id) {
+	wp_nonce_field("comment_form_{$post_id}", '_wpnonce', false);
+}
+
+add_action('comment_form', 'comment_form_nonce');
+
 ?>