The first natural impulse is to start fiddling with the comment settings for your blog: restricting who can comment, requiring an account, turning on CAPTCHA's, banning certain words or expressions... This will stop a large number of spam attacks, but it will also stop an equally big number of real comments because people will just not bother to jump through all the hoops after a while.
You might also start looking at installing various anti-spam plugins: different CAPTCHA's, special security codes, more filters... These might all work to a certain degree, but as soon as they are widely spread spammers will devise new ways around them. They might also discourage visitors from commenting in the same way more restrictive settings do.
As you may have noticed, on this blog the comments section does not require you to log in, and there is no CAPTCHA test or anything. Yet there is hardly any spam in my comments (as far as you, dear reader, can see at least).
What you should have done first
Movable Type already comes with a very good spam filtering plugin, called TypePad AntiSpam. In my experience this has always been a hugely effective filter with very few false positives or negatives. Basically this plugin sends all incoming feedback to a webservice that then returns a spam rating, which usually is correct.
The beauty of the system is that if some piece of feedback is classified wrongly you can send a report about it with just a simple click. If enough reports come in, the filter is adjusted and subsequent pieces of feedback are filtered correctly. There is also a 'trust' mechanism built-in: if someone is submitting many 'bad' reports to muddle up the effectiveness of the filter, reports from that person are ignored. Submit lots of 'good' reports, and your credibility increases which will give your reports more weight in the future.
Every day, thousands of bloggers are sending in reports that make the system better. All users on the entire TypePad blogging platform are using it! With so many eyes watching them, it is very difficult for spammers to keep coming up with new and better spam to defeat the filters.
Sounds like a pretty good system, no? There is just one tiny drawback: TypePad AntiSpam is not on by default in a new Movable Type installation!
The reason for this is pretty simple: the webservice needs a way to identify you and your reports (to be able to assign you a trust rating internally), and for this to work you need to input a (free) key in the settings of the plugin.
Usually, getting this key and putting it in my plugin settings is one of the first things I do when setting up a new Movable Type installation.
How to do it
Go to System Overview > Tools > Plugins in your Movable Type menu structure, and click on the TypePad AntiSpam plugin, then click on the 'settings' link. You will see this:
Now go to http://antispam.typepad.com/info/get-api-key.html and click on the link to sign in if you have a TypePad account (or register for one for free). Finally, click the 'Get API Key' link that appears.
A popup will appear with your key in it. Copy-paste this value into the plugin settings and hit 'Save Changes'.
That's it! (Almost) no more spam!
Reporting false positives/negatives
It is inevitable that sometimes spam will get through, or non-spam will end up marked as spam. In that case, simply select the wrongly classified piece of feedback from your comments or trackbacks screen, and hit the 'spam' or 'publish' button. A report will automatically be sent to the TypePad AntiSpam webservice, making it a little bit better.