[jeza]

You could allow invites, then use subsequent content to determine spam vs non-spam. Block content when its spam and notify the user, blacklist the JID where it came from and eventually domains where there is a high proportion of spam. Also allow users to report spammers. You could possibly even get clever and learn to recognise patterns in the JIDs and domains chosen by spammers, but this is bound to block legitimate content as well.

You could perhaps increase the requirements for sending invites, such as having the recipients server send a CAPTCHA, although spammers seem to be able to get around CAPTCHAs anyway. Perhaps there would be some other solutions that I haven't thought of.