A common approach is to use spam-rules for deciding if a post is auto-approved, or requires admin-approval.
Telligent have a system that seems to work pretty well, based on assigning points to a posts, to decide if it's likely spam, and sidelining posts above set "suspect" values. Basically, if a post scores above the "suspect" limit, it requires admin approval to be posted.
User Account Age
-- Deduct points for posts from older (more trusted) accounts
Known Spam Terms
++ eg 'viagra'
User Creation IP Frequency
++ More points if the IP address is repeatedly creating users.
Status Message Duplicates
++ Recent duplicate status messages and replies
Status Message Flood
++ A user has recently created many posts
++ If comments do not meet a certain minimum length
IP Address Frequency
++ If a given IP address attempts to make repeated posts
Emails in Comments
++ Regex matches in the comment body
++ Site configured rules based on acceptable content
Recent Duplicate Spam Rule
++ Duplicate username, title, body, etc.
Links in Comments
++ Links to known or suspect bad places.
++ Regex matches in username, title, body, etc that match known values.