I figure that the primary goal of comment spam is to insert a URL into a comment. I’ve edited my theme and deleted the url field in the comments and popup comments files, but I still get spam comments with data in the URL field. My guess is that they are hitting the wp-comments.php file directly.
I wrote a plugin that hooks the preprocess_comment function and executes wp_die if the url field is filled in. Registered users have that field filled in automagically by the the wp-comments program so I have to check to see if the user is registered.
I am also considering checking the http_referer header, but that can be spoofed and some paranoid users disable it.
Since I don’t have a url field in the comments anymore I have to wait to see if spammers are calling it. I have to log the attempts, I guess.