spry validation can be disabled by disabling java script in the browser, it should not be relied on for preventing spam.
use server validation instead.
you can use the alpha numeric validation type for the comments field to allow letters and numbers to be inserted, this will prevent URLs.
or you could use regular expression validation.
if you look at the documentation, there is an example of a URL regular expression that can be used.