Ideally, I want to make edits, so that links do not appear to guests at all. If there is no public link, the incentive to spam is lost.
I have put some thought into this in the past, on other forum systems. I'm a war-ravaged veteran of phpBB2, which is like the Internet's version of having a "kick me" sign on my back. And you're absolutely right--that is the primary reason for spamming forums: even if a profile is up there and no posts are made, that link in their profile is indexed by Google.
I did go through and disable any links like that--I made profile available only to logged-in members, and did not show the newest member's username unless they had confirmed their email registration (one of phpBB's many flaws). I even removed the "homepage" field from the form during signups, making it available for editing only to logged-in members. I don't know how many dozens of hours I wasted trying to modify phpBB2 to improve on it.
But, it did nothing at all to stop the spam. Here's the reason: how are spammers going to know
my phpBB2 forums are different from any other? They won't. They will blindly sign up and enter the information. The same will happen with XF. Spammers aren't going to know or care if we've modified our forums: all they see is the XF copyright at the bottom, and will attempt to spam it nonetheless. They don't have time to worry about any warning I might post about the spam measures in place. If it's a bot, it can't tell anyway, and the human spammers who get paid pennies in third world countries to join and post spam in forums (whether through profile homepage links, signatures or forum posts loaded with links) won't bother reading it either--it slows them down.
I still don't like having member profiles available to guests, so that is still worth securing. I am a big advocate of privacy.
The only thing I was able to do to stop the dozen or so spam registrations
per day on each of my more popular phpBB2 forums was to institute what was called a "VIP Code" system. The code was given out on a separate page, and members had to type it in to be able to send their registration into the system. It literally stopped the bots dead in their tracks (I worked out sort of a clumsy pseudo-random system that worked), and the human registrations slowed to a trickle.
The saddest part of all of this:
nothing is spam-proof anymore. Those of us who have been in the web business for over a dozen years have probably spent hundreds of billable hours playing with email filtering, combatting site spamming via forums, guestbooks and blogs, and just about anything else we can think of. A tremendous waste of time and resources.