I'm running a WPMU/BP site, I opened it up in February of this year and have been struggling with spam and splog registrations ever since. This week, I brought all of it - and I mean all of it - to screeching halt. There are no more spam comments and handled on the member blogs, and the splog registrations have finally stopped.
I did a number of things to make this happen. Here is my secret:
Change the wording on the default BP registration page.
Default BP has the phrase "Yes, I'd like to register a new blog" on the registration page. I discovered that sploggers were searching that phrase out in Google to find BP/WPMU based websites. To fix this, I went into my theme's register.php file and edited that phrase an others on my registration page to something matching my niche. Then I ensured for the next 2 weeks, that Google was crawling my registration page. Keyword searches for that phrase have vanished.
Network Install/Activate the Typepad Anti-Spam plugin.
This is the free alternative to the Askimet plugin. It cannot be network activated, so it must installed in your mu-plugins folder. http://wordpress.org/extend/plugins/typepad-antispam/
Use the Block Spam by Math Reloaded plugin.
I also use WPMU DEV's anti-splog plugin, which has some anti-robot features. For me, however, I found the BSBMR plugin was easier to style and handle for my theme. YMMV. http://wordpress.org/extend/plugins/block-spam-by-math-reloaded/
Use BuddyDevs One Click Mark Spammer plugin:
This one is not so essential anymore. When I was getting a lot of splog registrations, it allowed me to mark the spammers from the BP member directory on the front end. This was far faster and convenient than going to each front-end profile or into the dashboard.
Use WPMU DEV's Anti-Splog plugin;
It's now available in the WP plugin repository, though you still need an account here to take advantage of the API. It is good, and well-featured (but I'll be offering my feature requests at the bottom of this post). It was catching about 75% of the spam blog registrations and marking them as spam. This was good and helpful, because I was getting about 20 of them a day. But I have read reports on these forums of popular sites getting up to 200 splog registrations a day. Those that Anti-Splog didn't pick up, I had to mark manually. http://wordpress.org/extend/plugins/anti-splog/
Use the Stop Spammer Registrations Plugin
This is the tour-de-force of the anti-spam war. It combines a trifecta of three powerful databases to blog spam registrations and comments based on the IP. It bounces the IPs off of StopForumSpam.com; Project Honeypot; and BotScout. Botscout and Honeypot both require an API key for it to work (though setup for these only took me a few minutes). This was the plugin that has saved me all the anti-spam daily maintenance work I was doing. I imagine that it would work very, very well on its own, but I haven't tested it yet. http://wordpress.org/extend/plugins/stop-spammer-registrations-plugin/
Recommendations for WPMU DEV:
IP blocking seems to be the key to good anti-spam warfare. The databases in Honeypot, Botscout, and Stop Forum Spam are free to use (I think) for developers. Including them into the Anti-Splog plugin would dramatically ramp up its power. While I know that WPMU guys probably want their plugin to be entirely proprietary it is best not to always re-invent the wheel. There is technology out there that works really well and having one plugin (instead of 4-5) as the anti-spam defense is preferable and a better operating practice. Since I installed the Stop Spammers plugin, spam on my network has completely stopped - including its feature set into the Anti-Splog plugin would be a good strategy. IP blocking by checking against the other established databases seems to be the one layer that is missing from the WPMU DEV plugin.