Hi Duncan,
What I suggest that you block receiving comments on your website if your website is not protected by SSL. It happens because hackers Inject spam links to redirect from the sites are not protected with SSL. I see now that you have SSL installed is it before the SSL was installed you had the spam issues?
Secondly don't link or buy cheap back links from low DA/ PA websites that can increase the chances for spam on your website.
I faced the same issue on my website and i removed few injected back links created on my word press before SSL Certificate was installed Also I suggest you to disavow links from your google console with the list and It can help you remove the spam back links.
All the best