The user then can resubmit from the preview. Basically, if a legitimate user manages to trigger the spambot protection (it's possible, but unlikely) then it acts as if they pressed "preview" instead.
The actual mechanism is it looks to make sure that the user agent, IP address, and forum/topic/comment (depending on the sort of post) are the same through all steps in the process. (Obviously there's a few cases where a legitimate user's IP address can change, which is why the request is turned into a preview so that they can try again, and in these cases the user will probably just think "Hm, I must have accidentally clicked preview. Oh well.")
It's still possible for a spambot to spoof the request, but it needs to actually scrape the page of the post it's replying to and wait 5 seconds before posting, which puts a severe damper on their operations. A spambot which doesn't do this won't realize that the submit didn't happen and so the spambot authors will take a while to catch up to this (unlike an IP address banlist which just tells the spambot to switch to a different open proxy or whatever).
If it becomes necessary in the future, there's a few other things which can be added in order to trip them up a bit more. Unfortunately, spam protection is always a losing battle.
But, ever since I wrote this mod I haven't gotten a single comment spam, while my forum was being spammed pretty heavily before.