A good starting point for that would be to allow invites from people you have already added to your contact list, i.e. X@example.com authorised Y@gmail.com to get status updates and Y added them to their contact list, but authorisation requests from X to Y still appear to be dropped.
This makes perfect sense to me. Chat is an important part of a service that my company provides to our users. We received great response after launching "gtalk integration" for chat until some new users started reporting problems due to this issue. We tried the other way around ie. having them send an invite to us but sadly that doesn't work as well. Hope google comes up with a better solution soon.
You could allow invites, then use subsequent content to determine spam vs non-spam. Block content when its spam and notify the user, blacklist the JID where it came from and eventually domains where there is a high proportion of spam. Also allow users to report spammers. You could possibly even get clever and learn to recognise patterns in the JIDs and domains chosen by spammers, but this is bound to block legitimate content as well.
You could perhaps increase the requirements for sending invites, such as having the recipients server send a CAPTCHA, although spammers seem to be able to get around CAPTCHAs anyway. Perhaps there would be some other solutions that I haven't thought of.