Security issue – post by unregistered user

An unregistered user has managed to post. It’s not live but awaiting moderation, however they shouldn’t be able to get that far should they? This is the scenario/setup:

• posts are restricted to registered users
• “Anyone can register” is unselected
• I’ve not had any register requests
• There are only 2 registered users
• Also checked the wp_users MySQL table, only 2 users
• The site is not easy to find (content only intended as read-only for a group of friends) address is not published and is in a subdirectory of the domain. robots.txt is set to disallow search robots
• Post via e-mail NOT enabled
• “Users must be registered and logged in to comment” ticked
• Only one plugin enabled (PWA+PHP Picasa Web Albums for WordPress)
• The wordpress implementation is quite basic – minimal customisation of Twenty Ten
• The post awaiting moderation is japanese and the field that would normally contain an email address contains armic-sp.si/slike/coach-b-9.html

Any idea how they achieved this and how to block in future (I have blacklisted the IP of this posting)