I use a bunch of ways to detect spam in my Stop-Spammer-Registrations-Plugin. This is a summary of all the ways that I’ve implemented.
1) Put a “Red Herring” form on pages that do comments. This is a hidden form that looks identical to the standard comment form, but configured in such a way so that anyone using it will be seen as a spammer. Normal users won’t see it and will use the real form.
2) Use a timer in the session. (This doesn’t work when a caching plugin is used.) Whenever anyone hits your page, put the current time into a session variable. Then, when they hit the comment post function, you can check the number of seconds it took to fill out the form. If it takes a user 4 seconds or less, they can’ be a human.
3) Add a hidden field to comment and login forms. If it is not present after the form is submitted, then a robot sent the data.
4) Check the HTTP_REFERER header. If it does not match the domain of your website than it is a bad robot trying to drop spam.
5) Check the HTTP_USER_AGENT. If it is missing or found on a list of bad robots, then deny access.
6) Compare the IP address of the incoming comment to a list of known spam servers, such as Ubiquity.
7) Deny anyone with an email or user name longer than 64 characters. Spammers can’t resist putting too much data in the email or author fields.
8) Check for spammy words like “viagra” or “4U” in the email and author fields.
9) Look for the HTTP_ACCEPT header. If it does not exist, then reject.
10) Check IP, email and user ID against the Stop Forum Spam database.
11) Check the IP against a bunch of DNS black lists used for email spam.
12) Check the IP against the Project Honeypot database.
13) Check the IP against the BotScout database.
14) Make sure that you have Akismet installed to catch anything the methods above miss. If not, get the WordPress API key anyway, and check against the Akismet database.