Also issue commands:

Q NETWORKER FOR userid@node

for additional possible clues.

Have them CC: you when they attempt to post to the list.  Look at all
RFC822 headers.  See if they have a SENDER: address different from their
FROM:  This is sometimes problematic esp. on "controlled" lists.

What does the LISTSERV log say about these attempted posts?