Askimet is the most popular spam blocker for wordpress, and recaptcha is another plugin that asks for human verification while one tries to enter comment. I have seen many scripts that byepass recaptcha and get the comments entered into database. One good thing about wordpress is that none of the comments are published without moderation, and therefore it doesnt make much difference, but still it takes manual work to filter spam manually from the huge list that would be waiting in the queue.

Askimet is a very good plugin, that checks wordpress’s database for possible spam with all comment entries and blocks them automatically and holds them for 30 days. So about every 30 days you can visit the askimet page to find out if any legitimate message is there, you can go and mark it as not spam, and it will get displayed on the posts.