I have just found out that comment spam has been appearing in the demo "Mini-Blog HOWTO" article on my website :-(, which is one of the demo pages in the sample MODx website that you can choose to install when you install MODx.
I had left the demo pages in place on my site in case they contained any code that I might find useful later, but it seems that this was perhaps not a wise strategy.
To prevent the problem from occurring again, I think I will delete the demo pages from my live site (but leave them on my test site, which has very strict access permissions).
I haven't knowingly used any of the demo pages other than "404 - Document Not Found" and "Search Results". Are the other pages needed for any part of MODx functionality, or is it safe to remove them? ("RSS Feed" (actually, I might want to make use of that), "MODx Features" (and children), "[*loginName*]" ×2 (URIs: login and blog-login), "Thank You", "Contact Us", "Blog" (and children), "Request an Account"). The site doesn't have any web users, only manager users.
To get rid of the spam comments themselves, can I just delete all of the records in the modx_jot_* tables, or are there any records that "need" to be in there? I don't actually use Jot, although I suppose that there is always the possibility that I might do so in future.
I'm also somewhat worried as to how the comment spam found its way there in the first place. I haven't really investigated the demo blog in very much detail, but I am surprised that it somehow seems to have allowed spam to be posted without alerting a manager user first!
Given the "Forgot manager login" bug, I have checked that there are no unexpected user accounts on the site, and have now disabled the "Forgot manager login" plugin. I will upgrade my installation to 1.0.7 when I get time. I don't know whether this is a related issue or not.
Just another reminder of the need to be ever-careful, I suppose!