Here's the technique - just drop a modified version of this into your .htaccess file for your WPMU server:

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-signup\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) [R=301,L]

I put that block above the WPSuperCache block in my .htaccess file.

Modify the part that says "" to be whatever your WPMU server is (you may need to do more if you run multiple domains...), and modify the part to point to wherever you want to send suspected evil spammers. I send them here.

What it does is detect any POST requests (submitting a form) for wp-signup.php, that haven't been sent from a web page on the WPMU site or have an empty user agent string (identifying the software making the request), and sends them to a page that apologizes for any false positives (and provides a contact to get around it for valid users that somehow got sent there) and scolds evil spammers for being evil spammers.

The beauty of it is that it doesn't require anything from WordPress. No plugins. No mu-plugins. No hacking core files. Nothing. Apache steps in and kicks spammers out before they get in at all.