I have found that a combination of the following works well:
- Moderation. You will likely never be lucky enough to prevent 100% of undesirable content
- Moderated account activation. Although this requires input from you or another moderator, it prevents opportunistic hackers from doing 'drive-by' defacements. You can also review their profile to see if they've included marketing links as their homepage/signature etc. I've caught a number of spammers attempting to register in this manner
- Replace built-in (vulnerable) captchas with recaptcha
- Disallow disposable email addresses. There are quite a few of these domains from companies like 10minutemail. If you're looking to attract repeat visitors, nobody should be using a disposable email account
- Ban IP addresses, not usernames. If you encounter a spammer, ban their IP address to prevent re-registration. There is support in phpBB and other popular forum software for this
- Use the keyword censoring facility of your forum if present. This is especially useful for preventing curse words if you're running a family-oriented forum. Again, I know phpBB has this feature either in-built or available via a mod
- Disallow posting of links until the user has posted x number of messages (usually 1-5). Most spammers are opportunistic and will move on to an easier target. Alternatively, enforce moderation for their first message (and don't tell them this beforehand!)
- Keep track of your active users. Deactivate old users who haven't contributed for, say, 12 months. You can always reactivate them if they request it
Note that none of the above really tackles the issue head-on, which never really works. I believe it's better to manage the users before they post rather than clearing up after them.