Even if this works to fix the problem (I'm not sure if it does or doesn't), isn't there still the issue that someone can simply register and then spam that way?
On vbulletin.com, this discussion came up regarding VB3. The vBulletin staff member acknowledged that this was an exploit and couldn't be stopped completely without a code change, but said that VB3 is too obsolete for them to be patching at this point.
So I'm going to assume that no settings would fix this problem.
I still think one is safest with the code change, as that absolutely 100% solves it (since the functionality is gone). However, the one problem with code changes is that you may lose it when you upgrade to another vBulletin version.
No spammers can register on my site ever also to use my blog, you need to be in a special group that I put only trusted members. There are many default settings built in to vb that you can do without changing the coding