So, there are numerous types of attacks through several vectors.
A bot with automated scripts to masquerade as an user is one form, but it's one of the more primitive ones now. Captchas generally do a good job of keeping those out, but it's also the most popular form that most people tend to think of.
A more direct approach is to exploit the database directly, bypassing any and all custom PHP verification process. It isn't as easy as it may sound at first, because it requires finding and exploiting unpatched SQL vulnerabilities. However, once it's found and bots are coded for that exploit, the rest is easy as pie.
The simplest way to counteract this is simply through blanket IP bans. We're talking number.number.*.*. Maybe even number.*.*.* for certain cases, such as China or Russia. The only downside is that you also block out any and all legitimate requests from those networks, and admins tend to be hesitant about such a move BUT if are getting massive amounts of Chinese spams, and if you don't have too many legitimate Chinese accounts in the first place (which typically is the case for US forums), then I say it's a worthwhile tradeoff. But that's something a mod or admin will have to decide.
Another one is to get hardened code. This forum runs on phpBB, and as I've mentioned in the past, version 2.x is about as safe as a slice of swiss cheese. Granted, it's also popular due to its user-friendliness for both users and admins. However, if you want to get serious about security, you will want to ponder the option of rebuilding from the ground up using version 3.x. That's what the folks at ArsTechnica did. Their traffic runs as many as 3000 unique users a day, tens of thousands of posts each month, and have a monetized premium subscription model to protect. Despite its sheer size and volume, ArsTechnica did choose to make the very difficult decision of switching to phpBB 3.x, and though it was a transition years in the making, when it was finally done, they operate today with little to no spam. What little that do come through are, as far as I know, done by the occasional human beings, and at least not giant, automated botnets. Bottom line, if Ars can do it, anybody can. The question will be if it's worth the time and money for smaller boards to make the same switch. For smaller ones, maybe it's enough for mods to comb through it daily....
One more possibility to consider is to change the server's default DNS to something that's more geared towards security. Commercial ones do a good job at proactively screening out trouble IPs for you, so the end server never even have to know they exist. Of course, the downside here is another matter of cost. However, I think it's worth investigating OpenDNS, because their cost is relatively low. There's even a free version for regular users. However, all this depends on server setup, and for many, it may not apply. Either way, I figure it wouldn't hurt to throw that out there.
Last but not least, just hire more moderators. Zap the spams by hand.