@zudn
I've heard it said that you can just use a honeypot technique so spambots get trapped doing something that won't tax your server.
(For me, my private services (on the public internet) have never been found by spambots.)
Of course, CSRF tokens and request rate-limiting should be used almost always, which can solve some of the same problems.