Users that aren't confirmed have the permissions of the "unregistered / unconfirmed" group, regardless of the groups they're in. So either they made the post while they had a confirmed email and later changed it or there are permissions set such that the above named group can post.
neat, damn I love this forum software. Was able to see via the user changelog that (s)he did exactly that (of course I only got two bounces):
1) reg with non-existent email
2) changemail to valid email
3) changemail to other non-existent email
This might be something interesting for your Anti-Spam system (incl. StopForumSpam).
-> he avoids his initial registration being blocked (works only with a fresh IP), as he can use any random non existent email which is not yet in StopForumSpam
-> changes it quickly to his real email, validates his account, makes a post
-> after posting he changes into a non-existent email again (random)
-> if admin "anti-spams" user, only his last used email will be sent to StopForumSpam (which was not his real email) and thus avoids his real email getting blocked - less work to fake email addresses.
1) obviously it would be better to send all email addresses to StopForumSpam
2) maybe some option to disallow mail changes?