Defeat automated spambots (even the new 'learning' bots with dynamically named hidden fields) by adding a client side generated checkbox.
This will only work with the default WordPress comments system.
You can download any of the number of trackback validation plugins which will check the trackback before allowing it or not.
Sometimes scripts can semi automate spam and they know what the checkbox name is so they can automatically tick it.
checkbox name value in the settings page to something new (like change the number) so the autmoated systems don't know what the checkbox is called any more
You can also change the secret key value and set the maximum comments in moderation to a lower number.
if you have a cache plugin, please clear all caches.
also, you can try saving the settings again to reset all the variables