Actually, IP addresses are a very good way to limit spam. Sure, a determined person can hide his IP address from you by using intermediaries, but even this has its limits, and the same determined person can kill your site much more easily using a variety of other methods. What you're trying to prevent is not the l33t hacker types, but rather your average spammer, who rarely bothers to hide his IP address.

What you do is keep a database of:

ID number (always include this)
IP address (stored as 3 bytes corresponding to the first 3 sections of the IP, not the IP's text representation)
IP address index (for fastest access)
Last time accessed (timestamp)
Bad access count (defined as the number of times accessed within a certain time period of the last time accessed)

Basically, you look for a record in your database with the IP address of the user you want to check. If it's there, you check to see if the bad access count is over the set limit. If it is, you exit. If not, you check the last time accessed. If the last time accessed is too recent, update the bad access count and exit if the new count is too high. Update the last time accessed and proceed.

Oh, and the exit procedure might include something for adding that IP to the global site ban list (see Apache .htaccess IP bans), in which case you'll also want to remove the banned IP from your table so it's not cluttering things up. And you'll run an automatic procedure every so often to remove records from your table that have a last accessed time of more than x days ago, so the table remains small and efficient.

Your average spammer will be able to spam maybe two or three times (depending on how you set your limits), then get cut off automatically after that, with little server-side processing time involved. People who spam by mistake won't get blocked, since your regular clean-up run will clear out their bad access count every x days.