I have an old website still in place somewhere, and lately I have been swamped by spams on my old cgi forum.
Anyway, all this to say that since I don't use the website anymore, but wants to keep it up for archiving purpose, I have removed the "post" form, thinking that this way nobody, and especially the spambots, would not be able to post on my forum anymore (nobody could).
Well, guess what? The bots kept posting new topics and new replies even though there was no way they could have had access to the form to do that... which led me to conclude that the spambots do not use the existing forms to post new topics. They probably have access to the php or cgi code, and know what needs to be sent directly to the database, bypassing all our protection system.
So I do not see any escape to this, unless we indeed manually approve new members.