So what is the point of the spam users? Are they a threat to my system? Am I missing something?
They are a threat. What you're missing is the time factor. Spammers act in a 2-phase process: first they register accounts and then they send the spam.
There are a few reasons why this is a good alternative for them. Firstly, if they registered accounts and start spamming right away, you will immediately block all of them: you will see the new accounts, take a quick look at their activity and remove them. It is better for them to stay dormat for a while and activate them later one by one when needed. So they would be quite unnoticed to site owners. Or maybe they just don't have any customer paying for publicity right now so they are just planting the seeds so that when a customer arrives they are ready to be harvested.
Having said that, I can see 2 alternatives here. Take a look at this post http://www.question2answer.org/qa/39657
. You can go for the alternative I propose (which, again, I'm still missing feedback) or you can go for the selected answer. Each one has pros and cons. For instance, the selected answer will block all users from the TOR network, whether they are spammers or not (I guess most of them are, anyway). In that approach you could be spammed from a non-tor IP address very easily (eg: from my IP address, which is dynamic and it is not listed in stopforumspam.org). It also has the downside that you will be hacking the core and you'll have to take note of the change whenever upgrading the core.
The captcha approach I suggest has the disadvantage that it could be cracked with an OCR and by fully automatized, but it is considerably unlikely. This approach wouldn't also block human spam users from the tor network, but I guess human spam is the least popular because of the price.
Anyway, you don't really need to choose between one or the other because you can use both of them (if you are paranoid enough)... although I'd really like some feedback on the captcha working alone... many people promised to test it... no one did :)