One thing to think of is not to be valuable to them.
So for instance, ALWAYS do HTML sanitization via whitelist; don't let anyone put any javascript or any weird CSS or HTML into your posted content that you don't allow there.
If you allow links, make sure they all have the "nofollow" tag, so that you can't be used for link farming. (Both because it helps spammers, and because if Google detects that your site is being used for link farming, your own sites bomb.)
Other tricks spammers use: Using a link for the username, since that is sometimes emailed or displayed even when moderated content is not.
The site I run is a special-purpose conference website for a relatively small community (usually 60-100 attendees), so manually moderating all content until a user is verified works pretty well. The first year we had a handful of spammers, but their content was all deleted by me before it was seen by anyone. (With the exception of the link for a username. Missed that trick.) The next year we didn't have any spam accounts at all.
No idea how well that will scale for your use case.
I will certainly be employing these methods, and doing manual verification at least initially- but if the project is successful, it will outrun my ability to manually verify everything.
So for instance, ALWAYS do HTML sanitization via whitelist; don't let anyone put any javascript or any weird CSS or HTML into your posted content that you don't allow there.
If you allow links, make sure they all have the "nofollow" tag, so that you can't be used for link farming. (Both because it helps spammers, and because if Google detects that your site is being used for link farming, your own sites bomb.)
Other tricks spammers use: Using a link for the username, since that is sometimes emailed or displayed even when moderated content is not.
The site I run is a special-purpose conference website for a relatively small community (usually 60-100 attendees), so manually moderating all content until a user is verified works pretty well. The first year we had a handful of spammers, but their content was all deleted by me before it was seen by anyone. (With the exception of the link for a username. Missed that trick.) The next year we didn't have any spam accounts at all.
No idea how well that will scale for your use case.