A verification question will stop automated registrations but not human registrations. It might be a human spammer, or a human who discovered the answer to your verification question and then programmed it into a bot.
You can help the problem by creating multiple verification questions (it will show one at random). Or you can temporarily moderate new registrations.
You've been lucky to be fair then, but then your domain used now "XenFans" is pretty new. I've had to spam clean away 3 accounts today. One posting signature and website links, along with filling in the About Me with about 10 links also in the write-up added. I've switched from reCaptcha to Q/A now and have activated moderating all new members. It just not an option to leave "open registration" without SFP being there as a secondary back-up against Human Spammers. But it's also not a realistic option to keep manually moderating new accounts either.
I think some are getting hit worse because they have much older domains like mine that are well visited by spammers already before installing XenForo. I had the same problem with MyBB and why I had to install SFP, Q/A and use default MyBB Captcha all working together on registration page. That halted them right away, and did so for 12 months (not one spammer got in). But using Q/A and MyBB Captcha together didn't stop them. Human spammers are the problem for me it seems, not so much spam bots.
XenForo really needs some Human Spam defence adding in there by default. SFP for me should be a part of XenForo running alongside Q/A or ReCaptcha. I'd even go further and say there should be an option there in XenForo to use both Q/A and ReCaptcha combined together if you wanted.
127 domains that I used in the past point to xenfans, they got a lot of spam on vBulletin in the past.
Yes, it's a new site, and surely over time spam becomes more annoying, we will consider turning mail verification on by then.
Every spam we do get, we review. We take the time to go through the account, the access_log and error_log for the ips used, the referrer data, and go through the blacklist report sites, etc.
Having good contacts with data centers helps too. They get a bi-monthly report with a log file they can process. Which helps prevent repeat offenders on the site to crawl to almost 0.
As time passes, we will turn on email verification, add additional q/a questions, and perhaps moderate 0 posters. Install stopforumspam plugins, etc. We've been running the site since July 2010 and spam is minimum, so can't justify compromising the user experience vs 10 bots a year.
No offence, but if you want to spend each day having to do that above. Fair enough, that's you! But I sure don't and would sooner be able to allow manual registration without having to worry if I'm going to have to spam clean away 5-10 spammers each day. Like I said above, I did have that same issue with MyBB at first. But adding Q/A and SFP as mods cured it, which could both run alongside default MyBB Captcha (all 3) on registration solved the problem and I was able to sit back and enjoy the site knowing they was getting stopped.
The mass majority of forum owners don't want to be doing all that manually checking stuff, they just want them stopped at the front-door from getting in first and foremost.
We've been running the site since July 2010 and spam is minimum, so can't justify compromising the user experience vs 10 bots a year.
I wish that was me, I'll have more than that getting in if I open manual registration in a week, probably double it easy. Let me put it this way, I had to stop logging blocked spammers in the TXT file wit MyBB and SFP, because it was growing massive daily with the amount of blocked spammers listed in it. I'm talking 50-150 human spammers per day. They'd already bypassed Q/A and Captcha - being stopped last by SFP and logged.
All I'm trying to say, is that for some of us having only the choice of using Q/A or ReCapctha by default doesn't cut it, and not by a long way.
It's a good job you don't run my domain then, it would drive you round the bend. I usally get at least one a day getting in, had 3 today alone.
Before adding SFP and Q/A to MyBB. I think the average was about 10-12 a day getting in. So that gives you an example of what will happen using XenForo if I open the floodgates allowing manual activation using only ReCaptcha or Q/A. Although Q/A works much better in lowering those figures if done right. ReCaptcha isn't working stopping them, 3 got in today using it in the space of 2 hours.