FWIW, I just use email verification, CAPTCHA (now with 7.3), and one email address per registrant. Knock on wood, with almost 5000 registered members over almost 7 years, I've never had any real spammers and never had to approve anyone beforehand. After all, you know nothing about the person when you're approving them anyway, so why bother with that step?