I’m noticing the same thing. Fortunately, spammers aren’t hitting the site yet, but people who haven’t commented before are being allowed to comment. I do have the “previously approved comment” option checked.
While I’m not positive, in comment-functions.php it looks like lines 729-731 are executed early in check_comment:
$mod_keys = trim( get_settings('moderation_keys') );
if ('' == $mod_keys )
return true; // If moderation keys are empty
…and that looks like it means that if you don’t have anything in your moderation keys, all comments will be approved. I’ve just put a few spam words in my moderation key block to test this, though. ??
