What I do on any phpBB boards I have under my control is to only submit the username, email and passwords in the registration process. Only make the profile available to those users who actually complete the registration by clicking the activation link. I add a little message to the activation email saying the first thing they should do after logging in is to complete their details in their profile.

Also I know if I get a registration with a non null website then its a bot and I just exit(); at that point.

If they complete the registration process and then spam well I have a valid email to block rather than ip blocking.

Cuts way down on profile website/sig spamming.