It should *actually* be wp-comments-post.php so that they can't post, but we'll let it slide. This time. ;) And frankly, I would not bother limiting it to commenting at all. If somebody's hitting your blog and spamming you, why let them hit your blog in the first place? Remove the files stuff entirely, block them, and be done with it.