The most reliable method of verification I've come up with is to record a replay of the game, and have the server play it back. This verifies that the high-score was actually achieved... Though it does not verify that it was achieved legitimately.
I did consider this, but my game has so many little random variables (dictating which way enemies move etc.) that replacing them with more robust, replayable versions would be a fairly major undertaking now. Had I thought things through from the beginning, I think this would have been my first choice (albeit minus the server-side verification - just having the replay on the server would be enough that I could periodically check the highest scores myself).
This is incorrect.
Again, I think I worded things poorly. I have been writing open source software for a long time now and am fully aware that as the copyright holder there is nothing stopping me from keeping part of my code closed (and effectively dual-licensing the binary and source versions). What I meant was: this is not an acceptable solution for me. I started this thread because I was looking for a way of including online high scores in a GPL-ed game with some kind of minimal protection against spam. I should have made that clear from the start.