Here's my two cents on what I've done to thwart spambots. First, I banned all the freebie e-mail addresses the I know of. That knocked out most of them right there.
Then I enabled account activation. That took out the rest of them (until recently) because bots can register with a valid e-mail, but unless the human running them is following up by activating the account in the e-mail, the account will remain inactive. I delete all inactive accounts after a week.
My board is small, only sporadically active, so it's no prob to wipe out inactive accounts. After I eliminated freebie addresses I rarely have bots try to register.
I posted a notice on my board that accounts must be activated within a week or be deleted and if anyone has any problem activating their account to contact me. That notice covers ligitimate users who might have a problem.
Since I've recently started getting spam again I've enabled visual confirmation. AND I deactivated PMs for any users that aren't participating on the board. Lurkers don't need to be using PMs anyway. Once someone establishes themselves as a member of the community by participating, then I can reactivate PMs for their account.
Two questions:
Is there a mod that will automatically delete inactive accounts if they haven't been activated in 7 days?
Is there a mod that automatically sets new user accounts not to allow PMs?
I so rarely have spam that doing these things manually from the admin panel is no problem, but as the board grows, it might be nice to have those two things done automatically eventually.