Spam is an Arms Race - What Should A Drupal Webmaster Do?
Email spam and website spam are not going to end anytime soon. They are an arms race. By that, we understand that spammers are going to always be working to come up with more tricks to fool the email and website spam filters, and email junk mail filters / web search engines are going to be forever trying to catch up.
The same, of course, goes for click fraud. It's just part of life.
As webmasters, we also learn quickly about spam. The first thing a new drupal website has to do is to enable a basic image CAPTCHA for user registration. I had previously tried the math CAPTCHA, but the automated spam bots continued creating accounts. The image CAPTCHA stopped them. Until your website is very popular, just adding image CAPTCHA to user registration will be fine.
If you do find that you have ongoing problems with comment-type spam from normal users including URLs, you can set all filtered HTML content to display with rel="nofollow" set. This prevents your website from being penalized if a user links to a spam-site or unrelated site, and it also discourages spammers from posting on your site in the first place.