I'm not too fond of email verifications. It stops too many legit members who can't spell from joining communities and having joy right now. The more roadblocks you throw in front of a potential new member the likelier, imo, they will not return. I monitor bounced emails and find that the majority are by legit members who mispelled their email addy. Apparently, most of the email addys the non-bot spammers are using are legit. Therefore, in my experience, email verification causes more problems than it solves. That's just my own experience, others may have different experiences/activities on their own communities.
The registration challenges are good, but they don't stop non-bots, which is what I am certain you are seeing. Based on my experience and the kind of posts these members make when they DO post, they're not bots.
I remove the website field altogether. I let people post links in the signature line, that way they have to make a post to have their link show up. This creates an incentive to post. Frivoulous posts and spam posts are dealt with in the usual manner.
I rely on IP banning. I ban IPs as they show up. It's not the ultimate solution but it keeps the spam level to a manageable trickle.