Jay,
As you mention, the person in question basically exploited the Private Messaging system to send offensive PMs. Once again, I sincerely apologize to anyone who received any of this filth - we certainly don't approve of that kind of content on this forum.
Many of the protections you mentioned were already in place. We had PM disabled for junior members, required email registration and even have captcha character verification enabled to prevent bots from creating accounts without human intervention. As near as I can tell a human had to create the initial account first (the captcha and email requiremend force this), and then perhaps used a bot to exploit it. They then managed to post enough posts to become a more senior member (allowing them to PM) and started sending out PM's. Even then I had already lowered the limit on number of people that could be copied on a single PM, so they had to send a few addresses at a time.
Since then I had to disable PM's (at least for now), increase the delay between posts/replies, added some spam blacklist extensions, disallowed aliases (he used an alias to disguise his real login), decreased the PM count further, and of course banned the offending user and also his IP addresses. I'm also looking into other countermeasures.
Jay, I would appreciate it if you could email me with other suggestions, and also let me know if there is an easy way to eliminate the remaining PM's from the SQL database. My email is simply beersmith at the beersmith.com domain.
Thanks,
Brad