I have been receiving comments spam even though using captcha. Research showed that the spam was entering the comments through a post, apparently to the trackback! Furthermore, there is no log entry showing the post had been read or the comment page had been brought up. The following apache log entry (time and posting name match) led to the spam comment on the related post:
18.104.22.168 - - [16/Nov/2007:15:09:21 -0800] "POST /blog/2006/11/23/a-posting/trackback/ HTTP/1.0" 200 78 "-" "Track Back/1.02"