Well, thus far getting rid of the plugins and relying purely on the built in functionality of Wordpress and the OCM plugin, no rubbish has got through, however I have got a couple of comments to moderate.
The next step in the spam fight is just simply refusing access from the spam site using a .htaccess file. Ok, I've thought about this before, but wasn't too sure how I'd go about implementing it. Then I spotted this article. Bingo, just what I was looking for, but alas someone commented on this blog with their method. Seems even less complicated, and easier to maintain and even the author of the first article I found seems to have implemented this method.
I've now implemented this and will watch and see. I haven't disabled the logging of the accesses just yet, so will still be able to see when things go wrong, which I hope they wont.