The discussion below applies to 2.2 and previous 2.x versions of WordPress used without a spam plug-in.
I have my comments set for moderation - nothing gets posted unless I approve the comment. However, my database, to my surprise contained over 1,200 Spam comments that I had never seen.
On inspection, I noticed that WordPress keeps everything in the database - all the porn and all the levitra comments you did not want in your blog or database are right there in your tables.
WP stores the comments you allowed with a "1". It keeps the comments you refused with a "0" - yes, it stores the comments you refused! Brilliant! It also stores thousands of unwanted and unseen comments as "Spam" - in my case my guess is because I had configured WordPress to catch blacklisted strings.
Why does WP store spam? Why does it store comments that have been refused from moderation?