On an other blog I run - about my trip to berkeley - it took only three weeks until the first comment spam appeared (with new WordPress 1.5, so the nofollow attribute is in place!)

I now enabled some RBL checking, which has the side effect that I cannot post comments from my current IP (some comcast WLAN). I’d love to see some solution inbetween, like giving the RBL-listed posts with an URL a hard captcha to do before being accepted, while allowing plain text comments even pass without moderation.