Many new vBulletin admins don't know how easy it is to delete private message spam from a spammer.
If you delete spammer accounts (like I do!), then you need to do this just before you delete the account. If you just ban the account, then this can be done at an time.
Using your admin control panel -- mysite.com/forums/admincp if you haven't changed it* -- go to the USERS menu on the left, then SEARCH FOR USERS, and find the offending spammer. I usually just click on one of the quick searches, either 'last 24' or 'new registrations'.
Once you're on the member page, select DELETE PRIVATE MESSAGES SENT BY USER from the quick user links. (See image below. Log in to view images/attachments.)
And that's really all there is to it. Very simple. Bye-bye crapola.
Beyond that, consider increasing your anti-spam policies on the site:
- Use a question-and-answer model on registration, don't just rely on captcha to stop the junk.
- Ask a question that requires command of the English language and is not based on math.
- Avoid yes/no or true/false questions.
- For example "What mooing animal gives milk?" The answer is obviously a cow, but Engrish speakers may be stumped, and bots won't have a clue. And if somebody is too stupid to know the answer, I don't really want them on my forum anyway.
- Use the stopforumspam plugin, which ties in the popular anti-spam site.
- Block known "bad IPs" at the server level.
- If server blocking is unavailable, then block known "bad IPs" at the vBulletin level, using the "user banning options" under the vBulletin options in your admincp.
- Have an active staff on your site daily -- even if it's just 1-2 people that help with nothing more than anti-spam duties. Understand that smaller sites don't necessarily get less spam than large ones.
If it comes as any consolation, at least vBulletin is less spam-friendly than shoddy open-source code like phpBB2 or even phpBB3. There is a very active and dedicated vBulletin community out there (yes, MORE ACTIVE than phpBB), offering both free and for-pay products.
*It's good security to not only change admincp to something else, but to password-protect it, too!