ACP has New member post limit=1 and Can post without approval=Never for the Newly registered users group. Most of the time a new post goes into the approval queue but last night a spammer made 2 posts which were publicly viewable without waiting for moderator approval.

I created a number of test users and found that the only circumstance where a post was added to the approval queue was when the user name and email address had never been previously used. Repeat use is possible as we have a policy of deleting spammers to prevent them from cluttering up the membership list. Obvious spambot user name patterns are wildcard disallowed, but otherwise we don't normally bother.

Here's a summary of the test sequence I followed:

Name #1 + email #1, post requires approval, user deleted
Name #1 + email #1, post publicly viewable, user deleted
Name #1 + email #2, post publicly viewable, user deleted
Name #2 + email #1, post publicly viewable, user deleted
Name #3 + email #3, activated, user deleted
Name #3 + email #3, post publicly viewable, user deleted
Name #4 + email #4, inactive, user deleted
Name #4 + email #4, post publicly viewable, user deleted