No system is invulnerable, so while the upgrade bought us some time, that time sadly wasn't used effectively because the problem wasn't fully understood.
Yes, our captcha and registration process are weak. I'm working on devising methods that will beef up the Registration process and make it more difficult for bots to be able to register accounts (by sticking them in a bucket and validating the information -before- sending them a confirmation email, for example). I'll also be upgrading the registration captcha schema as well as the post validation captcha schema.
Any accounts that are questionably able to pass pre-confirmation email in the registration process will go directly into "Moderated Posts" status to further buffer any suspicious (but not out-right verifiable) accounts.
I'm also going to see about adjusting some of the privileges available to newer members, such as instituting a "Minimum Post Count" level in order to view extended member information (Such as E-Mail, for anybody that elects to show it) and what not. As well, while there will be a minimum post count fro regular posts to require passing the captcha, that number will be higher for any posts that include any external links, to hopefully guard against any human created accounts that are then turned over to spam-bots.
Any accounts that fail validation or become flagged in their Moderation Status as belonging to spam accounts, even when deleted, will still have their pertinent details stored in a "failed or banned" category to build a better anti-spam registration process as well as provide the opportunity for any mistaken ban/deletes to be more easily undone.
Naturally, all of that is a LOT of work, so it may take a while after the 2.0 Final upgrade for the forum software foes live. In the meantime, while I'm doing it manually, I am employing a lot of the processes for checking IP/Emails/Domains that the intended modules will use to gauge their over all success rate (which lead to me discovering that their biggest flaw is that not one of them checks the valid members database prior to issuing a ban, which I need to correct for before I deploy them). So far, the results are pretty positive with so far only 6 "accidents" (out of over 6000+ "accounts")
