METHOD 1
Spam combat steps:
1. Google ReCaptcha
2. Cookie checking
Every time a review is sent, a cookie (or localstorage value) is added with expiration of 1 day. If this cookie already exists, the review is added to a "checking list".
3. IP verification
Every time a review is sent, the IP of the connection that required the review is added to a SQL table, with the date of the last review and the number of reviews done by the IP. If there already is a date stored that is newer than 2 days ago, the review is added to a "checking list". A "ban" value in this table also enables you to ban spammer's IP.
4. Manual checking
The reviews added to the checking list must be manually checked, and if they are real spams, the IP of the reviewer can be banned.
METHOD 2
The user can only review if they bought the product. That way, their e-mail are added to a mailing list when they buy the product, and they get emailed with a link, that redirects they to a page where they can add the review and reads a token contained in the link and in a SQL database. If the token is valid and the user did not reviewed the product earlier, they can proceed.