By darn good luck, colleague and blog wizard Josh Hallett of Hyku | blog just recently answered a very similar question, and with his kind permission, I quote his excellent answer:

I recently upgraded to MT 3.2 but preferred my anti-spam settings of 3.17. I'll talk a bit about both. Ultimately, however, most comment and trackback spam is run via scripts.

MovableType 3.17

With 3.17 I had three primary tools in use:

MT Blacklist

MTBL was one of the first anti-spam measures and did an excellent job, however it is not compatible with 3.2, I wish it was. MTBL would prevent the majority of stuff making it thru. What was nice is that you never had to deal with it. Sort of an out-of-sight-out-of-mind thing.

SpamLookup

Rather than running a simple blacklist like MTBL SpamLookup runs the comment/trackback thru a series of tests; if the item does not meet a certain threshold then it will not be posted. For example if a post has too many links in it or the IP address of the trackback does not match the IP address of the blog domain the comment will be denied. In combination these two items did a good job.

Occasionally a large comment spam run would make it through because it had one or two URLs or, in the case of one batch, had links to google.com. All these were run via scripts. To stop that brute-force attack I....

Changed the name of the default mt-comments.cgi and mt-tb.cgi

There are a few steps involved with this, but the primary purpose is to defeat the script attacks running against your mt-comments.cgi file. If you look at your log files you'll see that the comment spammers are simply posting directly to the mt-comments.cgi file. Changing the name of the file can help stop this. It was always fun to look at my log files and see a few thousand 404's when a spammer was trying to post to my mt-comments.cgi file.

At best the name-changing step would beat them for a while. With the three things above I enjoyed a few months with no major spam problems. From time-to-time I would get a single post, which upon investigation (via logs, etc..) turned out to be an actual person posting a single item at a time.

All that changed when I upgraded to 3.2

MovableType 3.2

Like I mentioned earlier, MT-Blacklist does not work with version 3.2. Your primary line of defense is MT's built-in SpamLookup system. MTBL used to stop the spam before I saw it, now with 3.2 I see it in the 'Junk' list which I am forced to review frequently. Yes MT will auto-delete this queue, but I still get false-positives.

This is especially true for Trackbacks. It seems that every Trackback I get from TypePad hosted blogs does not make it through. The reason? The IP address of the trackback server does not match the IP address of the blog's domain. It seems like SixApart would have this covered since they wrote both pieces of software.

I have attempted to update the name of my .cgi files but the spam appears just as quickly again. When I say appear I mean in the junk area, so it never makes it to my blog, but it's still there. Since the name-change doesn't work anymore my theory is that there is another way to post trackbacks, perhaps via an API or the scrips have become smart enough to look-up the exact name of the .cgi script on your blog and then post away. My guess is the latter.

Anyway that's what I do for myself and all my clients. I also have a number of specific plugins for MovableType and some custom modifications I have created that make things like tagging very easy for the basic user.

Thank you for your expert insight on this, Josh. I'm in the middle of migrating from this ancient version of MT to the very latest, on a new, faster server, so I'll be able to add my own experiences in this regard soon enough.