Email validation is just "enter your email address and submit". Upon submit, the applicant gets an html page that says to check their email, and when received, click the link on that page that goes to the next step). My server sends an email response to that addy that includes a random 6-digit number (along with apologies if the addy is not the right one for the submitter) , and I get a copy that goes into my "access pending" folder.
The 2nd step is a series of questions on a form - includes a space to enter their email address and the number that was sent, along with their answers to the questions. When the applicant submits, they get another page that says to watch their email for credentials (could be a day or two), and that form comes to me in an email - I then can match the email address and number from the first and second emails to verify the supplied addy is real, and decide whether the applicant gets access to the forum area. If so, I email their credentials to the directory (unique for each - username and password related to their personal information) to them, and the link to the forum home page where they can register for the forum...
As a result I have virtually no forum moderation tasks to perform, subsequently - no "bad behavior' to concern myself with.
And for the record, my questions themselves screen out a lot of undesirable folks, the questions pertain to the subject of the forum and if they aren't familiar with the subject they can't answer them appropriately - I rarely get a 2nd step response from someone who is subsequently denied access, and my ratio of first email to second email is about 5 to one.
My logs show quite a few "gets" on the menu page that has the application link - maybe 200 a day from unique IPs - about 30% being spiders - and I'll get maybe 5 emails a week from the 1st application step.
My process (for the particulars of *my* forum) weeds out the bad actors and 'lookie-loos', before they ever get to the forum - or even complete the process.
So @Spuds, I posted this in response to your query "Since 1.0 we have provided "Bad Behavior" anti spam functionality included. I'm curious if this is still useful to anyone.", so you would understand why I wasn't responding to it..
[if anyone is curious to see this in action, PM me for a link]