I might be missing something here, but it seems that if a spammer makes a post without any spam in it and then edits it (assuming they have permission) then as long as they edit it using the inline editor then it won't get checked for spam and so they can then post whatever they like.
This is because the actionSaveInline function in XenForo_ControllerPublic_Post doesn't have any spam checking in it.
Nice spot John. We had noticed plenty of spam where the first (and only) post was edited and an invisible cookie stuffing image had been appended. There is no way to detect that invisible image, so the offenders got away with it for more than 6 months.
Thanks for fixing, Mike.