"PII" only seems to exist in US law, GDPR has "personal data".
I am far from an expert an GDPR, but it doesn't seem to be so clear cut. Even if IP addresses in this context are considered personal data, there may be "legitimate interest" in processing them for blacklists, e.g. https://gdpr-info.eu/recitals/no-49/ could apply. I am confident a workable solution for spam blacklists will be found.
I have the impression that a lot of the fear around GDPR is unfounded if one uses a reasonable and restrictive approach of processing and storing personal data.
Yes, IPs and any other information can be kept if there is a legitimate interest. For example if another regulation requires you to keep full information for AML or tax purposes, you can't immediately comply with a right-to-be-forgotten request to delete all the data you hold.
It's still personal information though (which was my original point), and so you still need to comply with GDPR by minimizing usage, not sharing it to processors without permission, having a procedure for telling users what data you hold on them, etc. And I think you'd have a harder time claiming that the other stuff is required too, specifically the addresses and phone numbers. You can do spam detection without that information, even if it would be less effective.
The problem I see with GDPR is just that we won't know precisely where the boundaries are until there's some case law to set precedent. It may prove to be easy to comply with, or it may prove to have some sharp edges that are expensive to comply with; we really can't tell.