Luckily, removing the offending spam entries was a simple one-line query from the Rails console because the spammer was dumb enough to use URLs that had an easy-to-query-for pattern.