I run a Drupal site with several thousand users. Users self-register, and there are no other moderators but myself, so it needs to be virtually maintenance free to be sustainable.
And for years, it was! Since the site's members are well-behaved, the only major maintenance besides keeping the Drupal installation updated was cleaning up spam posts. Usually, there weren't many to clean: perhaps a few per week, but nothing that took a lot of work to get rid of. Early on, I had installed the Anti-spam module which provides three anti spam services to choose from. I selected Defensio, which offers a free filtering service for sites with less than 25,000 posts/month.
Defensio caught most of the bad posts, but I also added captcha on all the forms to try to make it a more comprehensive defense system.
All this worked pretty well, until about six weeks ago. A spam attack started that was much more aggressive than normal. Defensio still caught about 95% of the hundreds of spam comments and posts that appeared every day, but that still left quite a few that made it through the filter.
Spambots were creating new accounts on the site at the rate of 500 a day or more. There were hundreds o spam posts per day, and enough would get through to require me to check the front page of the site a couple of times a day. I started searching the Drupal forums for tips on fighting this plague.
Finally I found a Drupal module called spamicide, which prevents automated account creation by tricking the bots to act differently than humans - sort of like captcha tries to do. So far, this has been the most effective spam prevention module I've seen yet. In the few days it's been in place, it's prevented hundreds of new accounts from being created, and spam posts have dropped to zero.
After spamicide blocked the creation of new spam accounts, I cleaned up the user table to remove all the old accounts. This is necessary because the bots apparently remember all the old account names and use whichever ones are still active. Once I got them all, there has been no new spam.
Spammers might eventually adjust their software to get around this approach, but the Spamicide module is being actively maintained, and it looks like they may make close some loopholes in the near future.
If spam is a problem for your Drupal site, I would suggest trying spamicide!