Here is a brief quote from an admin at another site I hang out at, dealing with the same subject that I thought you might enjoy.
We have email and image verification (have had it for a long time actually). The larger the board, the more likely it is to be on some spammer's list. I run a small guild site on the same phpbb code base as OO and it gets about 1/10th the spam.
The problem with increasing spam is that phpBB is so prevalent out there now that it's a huge target (see Windows vs. Virus/Malware for a similar issue). People have actually written bot scripts that can work through just about everything that people throw up.
For example, I've made numerous changes to the registration process form and it helps for a while, but eventually the spammers work around it. I have a theory that somewhere out there is a list of phpBB (and possibly other) boards with some sort of bot configuration that gets updated from time to time so eventually anti-spam deterrents get worked around.
We could require manual activation, but that means someone (or someones) have to overlook that, and things like that always deter the real people we want here from joining.