We have a few measures in place and though we'd share them with you and see how many can be done in XF or added into XF.
1) Members with under a set number of posts are subject to checks on the content of the posts. If they contain certain keywords (i.e. to do with selling or containing a link) then the post is automatically moderated.
2) These members also can't send PMs. this is a pain, but we had a spate where spammers would sign up and then send loads of PMs. Perhaps a daily limit of PMs could be set via Usergroup, this would be better than blocking PMs completely.
3) Once they've made enough posts (won't say how many for obvious reasons!), then they automatically get promoted to the main user group.
We are currently having to scan every new registration by hand to find the spammers and we're probably banning tens of accounts every day, even before they've activated the account!
This would be made a lot easier if there was a function in the admin site that would list the new registrations *with some/all profile fields* on one page, rather than as its done in vB where you have to click the link to view the profile. If the info was on the same page, its a lot quicker to go through the new registrations.
I don't know what XF has in regards to this as we haven't had a chance to find out, but these are the suggestions I have which would make catching the spammers BEFORE they start making posts.
1) Ability to enter a list of keywords that posts from new members (under x number of approved posts) are checked for. If they are found, they go into the moderated queue.
2) Ability to limit PMs sent on a daily basis by usergroup. Therefore the inital usergroup new members go to can be set to say 5 PMs a day, so the worst they could do would be to send 5 PMs on the first day. If the account is subsequently deleted as a spammer, it would be nice if a PM could be sent to the members they PM'd alerting them to the fact the PM was sent by a spammer and to delete it. - this PM should ignore any PM limits they have (i.e. PM box size).
3) Provide a list of new registrations (note, even those which haven't been activated yet) in a page in the admin site with selectable custom profile fields (once these have been added), so that at a glance people can see the spammer registrations and delete them.
It appears that spammers these days use humans to sign up registrations rather than bots and needless to say, you can't stop these with reCaptcha, normal Captcha or Q&As. To combat these we need additional tools on the 'other side' of the registration step.